Syscon Firmware: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
 
(166 intermediate revisions by 12 users not shown)
Line 1: Line 1:
Syscon Firmware is the firmware stored on the System Controller EEPROM (see [[Syscon Hardware]]). Updates are stored in update packages within the Update_files.tar of a [[Playstation Update Package (PUP)]]. Syscon Packages appear to always be 5KB (5376 bytes) in size.
= Description =
The '''Syscon firmware''' (also known as '''sys'''tem '''con'''troller '''firmware''') is the software stored inside [[Syscon Hardware|syscon]]. Composed by the base firmware (not updateable in retail syscon models) and a optional patch that is applyed virtually on runtime on top of the base firmware<br>
The syscon patches (also known as system controller update packages) for retail PS3 models are distributed in [[PKG_files|PKG]] format inside the [[Update_files.tar]] of the [[Playstation Update Package (PUP)|PS3UPDAT.PUP]]s. Syscon patches appear to always be 5KB (5376 bytes) in size.


= Update procedure =
The PS3 firmware installer PUP's contains a collection of syscon patches for all the different syscon's chips used in the different motherboard models. The ps3swu.self (system updater) checks the syscon [[More_System_Information|SoftID]] and installs the compatible patch accordingly (via updater manager ss service).<br>
The non-retail PS3 models with syscon [[CXR713F120A]] don't have patches, this special syscon model with the "F" product code (that seems to indicate that is fully flasheable) allows to overwrite the base syscon firmware through the [[Communication Processor]]


= Syscon update packages =
= Syscon firmwares =
d/l: [http://www.multiupload.com/JHBCOCGNUR syscon_fw1.00-4.00.rar (51.74 KB)]
{| class="wikitable"
 
|+Mullion
== Package structure ==
! <abbr title="Syscon firmware build id">SoftID</abbr> !! Firmware version !! Build target !! Build date !! Adds support for [[Platform ID]]s !! Corresponding [[SCEI PS3 SDK|SDK]] / [[Communication_Processor|CP]] versions !! Notes
Sys_con_firmware Packages can be unpacked with unpkg
|-{{cellcolors|lightgrey}}
 
| -    || v0.4.5_b4  || BACKUP      || 2005      || (Cyt1.0), (Cyt1.1), (Cyt2.1), (Cok01)    || 0.40 || Only used on the backup bank of flash models
=== Overview ===
|-{{cellcolors|lightgrey}}
{|class="wikitable"
| 06DA || v0.6.1_c8  || CYTOLOGY    || 2006/01/31 || Cyt1.2, Cyt2.0, Cyt2.2, (Cok02), (Cok03)  || 0.80 / 0.3.2 ||
|-{{cellcolors|lightgrey}}
| 073E || v0.6.10_c4 || CYTOLOGY    || 2006/03/01 || (Cok05)                                  || 0.81 / 0.4.3/0.4.7 ||
|-{{cellcolors|lightgrey}}
| 07FF || v0.6.11_c4 || CYTOLOGY    || 2006/03/27 || Cyt3.0, Cyt3.1, Cyt3.2, (Cok08)          || 0.82 / 0.5.3 ||
|-{{cellcolors|lightgrey}}
| 086C || v0.6.12_c5 || CYTOLOGY    || 2006/04/11 || -                                        || 0.83 / 0.6.4/0.6.5/0.6.7 ||
|-{{cellcolors|lightgrey}}
| 08F1 || v0.6.12_c7 || CYTOLOGY    || 2006/04/22 || -                                        || 0.83 ||
|-{{cellcolors|lightgrey}}
| 0955 || v0.6.14_c4 || CYTOLOGY    || 2006/05/01 || -                                        || 0.84 / 0.7.1 ||
|-{{cellcolors|lightgrey}}
| 0AF4 || v0.8.4_c8  || CYTOLOGY    || 2006/06/23 || (Cok11)                                   || 0.85 / 0.8.4/0.8.8 ||
|-{{cellcolors|lightgrey}}
| 0B48 || v0.9.9_c1  || CYTOLOGY    || 2006/07/07 || Cyt3.3, Cyt3.4, (Cok12), (Cok13), (Cok14) || 0.90 / 0.9.1 ||
|-{{cellcolors|lightgrey}}
| 0B67 || v0.9.13_k1 || COOKIE      || 2006      || -                                        || -  || [[COOKIE-13]], [[COK-001_(Prototype)|COK-001(Proto)]], etc... with a [[CXR713F120A]]
|-{{cellcolors|lightgrey}}
| 0B74 || v0.9.14_c1 || CYTOLOGY    || 2006/08/03 || -                                        || 0.91 / 0.9.2 ||
|-
|-
! Address !! Length !! Value !! Description
| 0B8E || v1.0.0_k1  || COOKIE (201) || 2006      || -                                        || -    ||
|-{{cellcolors|lightgrey}}
| 0B9D || v1.0.1_c1  || CYTOLOGY    || 2006/08/31 || -                                        || 0.93 / 0.9.4 ||
|-
|-
| 0x00 || 0x4 || ASCI:"SCE" || SCE magic header
| 0C16 || v1.1.3_k1  || COOKIE (202) || 2006      || CokB10                                    || -    ||
|-{{cellcolors|lightgrey}}
| 0C23 || v1.0.3_c1  || CYTOLOGY    || 2006/12/04 || -                                        || 1.50 / 1.1.1 ||
|-
|-
| 0x04 || 0x4 || 0x2 || Flags
| 0D52 || v1.2.3_k1  || COOKIE (203) || 2007      || CokC10, CokC11, CokC12, CokD10            || -    ||
|-{{cellcolors|lightgrey}}
| 0D79 || v1.0.4_c1  || CYTOLOGY    || 2007/06/21 || -                                        || 1.90 / 1.2.0 ||
|-
|-
| 0x08 || 0x4 || 0x3 || Type (0x3 = PKG)
| 0DBF || v1.3.3_k1  || COOKIE (301) || 2007      || -                                        || -    ||
|-{{cellcolors|lightgrey}}
| 0E4E || v1.0.4_c2  || CYTOLOGY    || 2007/11/08 || -                                        || 2.40 / 1.3.1 ||
|-
|-
| 0x0C || 0x4 || 0x0 || Blank/Unknown
| 0E69 || v1.4.4_k2  || COOKIE (302) || 2007      || CokE10, Deb01                            || -    ||
|-
|-
| 0x10 || 0x4 || 0x0 || Blank/Unknown
| 0F29 || v1.5.0_k2  || COOKIE (303) || 2009      || -                                        || -    || Removes hardcoding from previous firmware, adds support for 65nm RSX - <span style="background:#ff4444; cursor:wait;">not dumped yet</span>
|-
|-
| 0x10 || 0x8 || 0x280 || Start Data Offset ('hdr_len')
| 0F38 || v1.5.1_k2  || COOKIE (304) || 2010      || -                                        || -    || Adds support for 40nm RSX
|-{{cellcolors|lightgrey}}
| 0F3B || v1.0.5_c1  || CYTOLOGY    || 2010/05/12 || -                                        || 3.60 / 1.3.3 ||
|}
 
{| class="wikitable"
|+Sherwood
! <abbr title="Syscon firmware build id">SoftID</abbr> !! Firmware version !! Build target !! Build date !! <abbr title="Not final">Adds support for [[Platform ID]]s</abbr> !! Notes
|-{{cellcolors|lightgrey}}
| 0658 || ?.??.? || -      || 2008 || CokF10                        || <span style="background:#ff4444; cursor:wait;">not dumped yet</span> [[VERTIGO-02]]
|-
| 065D || 0.17.0 || SW-301  || 2008 || -                              ||  
|-
|-
| 0x18 || 0x8 || 0x1080 || Data Size ('dec_size')
| ???? || ?.??.? || SW-302  || 2008 || -                              || <span style="background:#ff4444; cursor:wait;">not dumped yet</span> [[VER-001]]
|-
|-
| 0x20 || 0x260 || - || Header
| 0832 || 1.11.0 || SW2-301 || 2009 || CokG10, CokG11                ||  
|-
|-
| 0x280 || 0x40 || - || 'info0' section (see below)
| 0898 || 1.15.0 || -       || 2009 || CokH10, CokH11, CokJ12        ||
|-
|-
| 0x2C0 || 0x40 || - || 'info1' section (see below)
| 08A0 || 1.16.0 || SW2-302 || 2009 ||                                ||
|-
|-
| 0x300 || 0x1000 || - || 'content'
| 08C2 || 1.21.0 || SW2-303 || 2010 || CokJ13, CokJ20                ||
|-
|-
|}
| 0918 || 2.3.0  || SW3-301 || 2011 || CokK10                        ||  
==='info0'===
{|class="wikitable"
|-
|-
! Address !! Length !! Value !! Description
| 098F || 2.12.0 || SW3-302 || 2012 || CokM20, CokM40, CokN10, CokN30 ||
|-
|-
| 0x00 || 0x4 || 0x3 ||  
| ???? || ?.??.? || SW3-303 || 2013 || -                              || <span style="background:#ff4444; cursor:wait;">not dumped yet</span> (unknown PS3 model/motherboard)
|-
|-
| 0x04 || 0x4 || 0x8 ||  
| 09A4 || 2.21.0 || SW3-304 || 2013 || -                              ||
|}
 
= Syscon patches =
<div style="float:right">[[File:MoreSystemInformation_CECHA_with_40nm_RSX.jpg|400px|thumb|left|[[CECHAxx]] Refurbished 40nm RSX / [[COK-001]] / [[CXR714120-304GB]]<br>Syscon firmware '''v1.5.1_k2''' patch '''1''']]<br>[[File:MoreSystemInformation-CECH2004B-270.JPG|400px|thumb|left|[[CECH-20xx]] / [[DYN-001]] / [[SW2-301]]<br>Syscon firmware '''1.11.0''' patch '''1.2.83E.832''']]</div>
 
These patches are in full Retail/CEX and Debug/DEX firmwares. Are intended to fix some problem in the syscon firmware
*Fix 1) System firmware 1.30 (December 6, 2006). Disables UART access to the Syscon EEPROM patch region (not for 0832)
*Fix 2) System firmware 1.81 (June 15, 2007). Patch for the HDMI display data channel read<!-- ''hdmi chstat'' ? --> function (only for 0B8E and 0C16)
*Fix 3) System firmware 3.00 (September 1, 2009). Unknown patch (only for 0832)
*Fix 4) System firmware 3.40 (June 29, 2010) and  3.41 (July 26, 2010). Patch for the rtc read<!-- ''getrtc'' ? --> function (not for 0832)
 
{| class="wikitable"
|-
|-
| 0x08 || 0x8 || - || SC firmware revision (the high word of it is the SC type)
! <abbr title="Syscon ROM Revision">SoftID</abbr> !! sys_con_firmware package !! [[1.00_CEX|1.00]]~[[1.11_CEX|1.11]] !! [[1.30_CEX|1.30]]~[[1.80_CEX|1.80]] !! [[1.81_CEX|1.81]]~[[2.80_CEX|2.80]] !! [[3.00_CEX|3.00]]~[[3.30_CEX|3.30]] !! [[3.40_CEX|3.40]] !! [[3.41-1_CEX|3.41]]~[[4.88_CEX|4.88]] !! Notes
|-{{cellcolors|lightgrey}}
! rowspan=3 | 0B8E
| SYS_CON_FIRMWARE_01000004.pkg || {{No}} || {{Yes}} (fix 1) || {{No}} || {{No}} || {{No}} || {{No}} || Superseded by SYS_CON_FIRMWARE_01000005.pkg
|-{{cellcolors|lightgrey}}
| SYS_CON_FIRMWARE_01000005.pkg || {{No}} || {{No}} || colspan="2" {{Yes}} (fix 1+2) || {{No}} || {{No}} || Superseded by SYS_CON_FIRMWARE_01000006.pkg
|-
| SYS_CON_FIRMWARE_01000006.pkg || {{No}} || {{No}} || {{No}} || {{No}} || colspan="2" {{Yes}} (fix 1+2+4) || [[CXR713120-201GB]] <abbr title="Last 2 bytes of the patch 2 region, at the end of the EEPROM dumps>...4706</abbr>
|-{{cellcolors|lightgrey}}
! rowspan=2 | 0C16
| SYS_CON_FIRMWARE_01010302.pkg || {{No}} || {{No}} || colspan="2" {{Yes}} (fix 1+2) || {{No}} || {{No}} || Superseded by SYS_CON_FIRMWARE_01010303.pkg
|-
|-
| 0x0C || 0x4 || 0x0B8E(1.30-4.84)<br />0x0C16(1.81-4.84)<br />0x0D52(3.40-4.84)<br />0x0DBF(3.40-4.84)<br />0x0E69(3.40-4.84)<br />0x0F29(3.40-4.84)<br />0x0F38(3.41-4.84)<br />0x065D<br />0x0832(3.00-4.84)<br />0x08A0<br />0x08C2<br />0x0918 || 'SoftID'
| SYS_CON_FIRMWARE_01010303.pkg || {{No}} || {{No}} || {{No}} || {{No}} || colspan="2" {{Yes}} (fix 1+2+4) || [[CXR713120-202GB]] <abbr title="Last 2 bytes of the patch 2 region, at the end of the EEPROM dumps>...7214</abbr>
|-
|-
| 0x10 || 0x8 || 0x0001000000000004<br />0x0001000000000005<br />0x0001000000000006<br />0x0001000100030002<br />0x0001000100030003<br />0x0001000200030002<br />0x0001000300030002<br />0x0001000400040002<br />0x0001000500000002<br />0x0001000500010001<br />0x00010002083E0832<br /> || 'PatchID'
! 0D52
| SYS_CON_FIRMWARE_01020302.pkg || {{No}} || {{No}} || {{No}} || {{No}} || colspan="2" style="background:#55CC55; color:#FFFFFF; text-align:right;" | Yes (fix 1+4) || [[CXR713120-203GB]] <abbr title="Last 2 bytes of the patch 2 region, at the end of the EEPROM dumps>...F427</abbr>
|-
|-
| 0x18 || 0x8 || 0x1000 || 'Content' Data Size
! 0DBF
| SYS_CON_FIRMWARE_01030302.pkg || {{No}} || {{No}} || {{No}} || {{No}} || colspan="2" style="background:#55CC55; color:#FFFFFF; text-align:right;" | Yes (fix 1+4) || [[CXR714120-301GB]] <abbr title="Last 2 bytes of the patch 2 region, at the end of the EEPROM dumps>...F321</abbr>
|-
|-
| 0x20 || 0x8 || 0x1000 || 'Content' Compressed Data Size
! 0E69
| SYS_CON_FIRMWARE_01040402.pkg || {{No}} || {{No}} || {{No}} || {{No}} || colspan="2" style="background:#55CC55; color:#FFFFFF; text-align:right;" | Yes (fix 1+4) || [[CXR714120-302GB]] <abbr title="Last 2 bytes of the patch 2 region, at the end of the EEPROM dumps>...5096</abbr>
|-
|-
| 0x28 || 0x8 || 0x0 ||  
! 0F29
| SYS_CON_FIRMWARE_01050002.pkg || {{No}} || {{No}} || {{No}} || {{No}} || colspan="2" style="background:#55CC55; color:#FFFFFF; text-align:right;" | Yes (fix 1+4) || [[CXR714120-303GB]]
|-
|-
| 0x30 || 0x10 || 0x0 ||  
! 0F38
| SYS_CON_FIRMWARE_01050101.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || style="background:#55CC55; color:#FFFFFF; text-align:right;" | Yes (fix 1+4) || [[CXR714120-304GB]] <abbr title="Last 2 bytes of the patch 2 region, at the end of the EEPROM dumps>...16FA</abbr>
|-
|-
! 0832
| SYS_CON_FIRMWARE_S1_00010002083E0832.pkg || {{No}} || {{No}} || {{No}} || colspan="3" {{Yes}} (fix 3) || [[SW2-301]]
|}
|}


Note: PS3 firmwares cannot deal with compressed syscon firmwares, so they will abort the update process in that case.
The screen [[More System Information]] allows to see some details related with syscon. The syscon firmware version can be derived from the SoftID, and additionally if there is a patch installed the PatchID displayed in the screen contains both, the syscon firmware version and the patch version. Note also that there is a direct relationship in between the PatchID displayed in the screen and the patch filename. The syscon UART commands also displays some info related with the base syscon firmware and the patch
 
Some examples from syscon UART:
<div style="float:left; font-size:small;">
<div style="float:top; text-align:center;">'''CECHC, CECHE / COK-002 / CXR713120-202GB'''</div><pre>
>$ revision
0C16
 
>$ version
v1.1.3_k1
 
>$ patchvereep
major:0x0001
minor:0x0001
patch:0x0003
revision:0x0003
 
>$ patchcsum
r1 csum: [00030266] [018DB626] [90662679]
r2 csum: [000069C5] [0046B830] [5E535A06]
</pre></div>
 
<div style="float:left; font-size:small;">
<div style="float:top; text-align:center;">'''CECH-20xx / DYN-001 / SW2-301'''</div><pre>
>$ revision
# Revision = 2098(0832)
 
>$ version
# Sherwood Version = 1.11.0
 
>$ patchinfo
#
# MAJOR  :0000
# MINOR  :0000
# REV    :0000
# SYS_REV :0000
# TABLE  :00FFFFFF
# DATSIZ  :FFFF
# DATSUM  :FFFF
# SUM    :FFFF
# not applyed
</pre></div>
 
<div style="float:left; font-size:small;">
<div style="float:top; text-align:center;">'''CECH-20xx / DYN-001 / SW2-301'''</div><pre>
>$ revision
# Revision = 2098(0832)
 
>$ version
# Sherwood Version = 1.11.0
 
>$ patchinfo
#
# MAJOR  :0001
# MINOR  :0002
# REV    :083E
# SYS_REV :0832
# TABLE  :0000201A
# DATSIZ  :0FAA
# DATSUM  :02AB
# SUM    :035D
# applyed
</pre></div>
<br style="clear: left;" />
 
*Mullion PatchID names format ('''major, minor, patch, revision''')
**0B8E.0000000000000000@SC = syscon firmware '''v1.0.0_k1''', not patched
**[[Media:MoreSystemInformation-CECHA01-102.JPG|0B8E.000'''1'''000'''0'''000'''0'''000'''5'''@SC]] = syscon firmware '''v1.0.0_k1''', patch '''5''' (filename SYS_CON_FIRMWARE_0'''1'''0'''0'''0'''0'''0'''5'''.pkg)
**0F38.0000000000000000@SC = syscon firmware '''v1.5.1_k2''', not patched
**[[Media:MoreSystemInformation CECHA with 40nm RSX.jpg|0F38.000'''1'''000'''5'''000'''1'''000'''1'''@SC]] = syscon firmware '''v1.5.1_k2''', patch '''1''' (filename SYS_CON_FIRMWARE_0'''1'''0'''5'''0'''1'''0'''1'''.pkg)
*Sherwood PatchID names format ('''major, minor, rev, sys_rev''')
**0832.0000000000000000@SC = syscon firmware '''1.11.0''', not patched
**[[Media:MoreSystemInformation-CECH2004B-270.JPG|0832.000'''1'''000'''2'''0'''83E'''0'''832'''@SC]] = syscon firmware '''1.11.0''', patch '''1.2.83E.832''' (filename SYS_CON_FIRMWARE_S1_000'''1'''000'''2'''0'''83E'''0'''832'''.pkg)
 
<br style="clear: both;" />


Note2: The PatchID is also present in the first 8 bytes of decrypted content but 16bit swapped for ARM BGAs
= Package structure =
Sys_con_firmware Packages can be unpacked with unpkg. See [[PKG files]] and [[Certified File]]


==='info1'===
== Header ==
{|class="wikitable"
{|class="wikitable"
|-
|-
! Address !! Length !! Value !! Description
! Address !! Length !! Value !! Description
|-
|-
| 0x00 || 0x4 || 0x0 ||  
| 0x00 || 0x4 || ASCI:"SCE" || SCE magic header
|-
| 0x04 || 0x4 || 0x2 || Version
|-
|-
| 0x04 || 0x4 || 0x3 ||  
| 0x08 || 0x2 || 0x0 || Attribute
|-
|-
| 0x08 || 0x8 || 0x40 || Offset/size?
| 0x0A || 0x2 || 0x3 || Category (0x3 = Update Package)
|-
|-
| 0x10 || 0x4 || 0x0 ||  
| 0x0C || 0x4 || 0x0 || Extended Header Size (no ext header)
|-
|-
| 0x14 || 0x4 || 0x0 ||  
| 0x10 || 0x8 || 0x280 || File Offset (hdr_len)
|-
|-
| 0x18 || 0x8 || 0x1000 || 'Content' Data Size?
| 0x18 || 0x8 || 0x1080 || File Size (dec_size)
|-
|-
| 0x20 || 0x8 || 0x1 ||  
| 0x20 || 0x260 || - || Encrypted part of header
|-
|-
| 0x28 || 0x8 || 0x1 ||  
| 0x280 || 0x40 || - || '''update_package_header''' section (see below)
|-
|-
| 0x30 || 0x10 || 0x0 ||  
| 0x2C0 || 0x40 || - || '''update_package_contents_header''' section (see below)
|-
| 0x300 || 0x1000 || - || '''content''' section
|-
|-
|}
|}
==='content' overview===
 
== Update Package Header ==
{|class="wikitable"
{|class="wikitable"
|-
|-
! Address !! Length !! Value !! Description
! Address !! Length !! Value !! Description
|-
|-
| 0x00 || 0x4 || 0x3 || Header Version? 3 (fixed value for all PS3 update packages)
|-
|-
| 0x0 || 0x1000 || - || 'content'
| 0x04 || 0x4 || 0x8 || SoftType? 8 = SC firmware
|-
| 0x08 || 0x8 || - || SC firmware revision (the high word of it is the SC type)
|-
| 0x0C || 0x4 || 0x0B8E(1.30-4.84)<br />0x0C16(1.81-4.84)<br />0x0D52(3.40-4.84)<br />0x0DBF(3.40-4.84)<br />0x0E69(3.40-4.84)<br />0x0F29(3.40-4.84)<br />0x0F38(3.41-4.84)<br />0x0832(3.00-4.84) || 'SoftID'
|-
| 0x10 || 0x8 || 0x0001000000000004<br />0x0001000000000005<br />0x0001000000000006<br />0x0001000100030002<br />0x0001000100030003<br />0x0001000200030002<br />0x0001000300030002<br />0x0001000400040002<br />0x0001000500000002<br />0x0001000500010001<br />0x00010002083E0832<br /> || 'PatchID' (official name is "version")
|-
| 0x18 || 0x8 || 0x1000 || '''Content''' Data Size
|-
| 0x20 || 0x8 || 0x1000 || '''Content''' Compressed Data Size
|-
| 0x28 || 0x4 || 0x0 || Attribute
|-
| 0x2C || 0x4 || 0x0 || Region
|-
| 0x30 || 0x8 || 0x0 || Image Offset
|-
| 0x38 || 0x8 || 0x0 || Reserved_0
|-
|-
|}
|}


== Known Retail syscon update packages ==
Note: PS3 firmwares cannot deal with compressed syscon firmwares, so they will abort the update process in that case.
These are in full Retail/CEX and Debug/DEX firmwares:
 
{| class="wikitable"
Note2: The PatchID is also present in the first 8 bytes of decrypted content but 16bit swapped for ARM BGAs
 
== Update Package Contents Header ==
{|class="wikitable"
|-
|-
! [[Motherboard Revisions|Board]] !! [[Syscon Hardware]] !! sys_con_firmware package !! 1.00-1.30 !! 1.30-1.80 !! 1.81-2.80 !! 3.00-3.30 !! 3.40 !! 3.41-4.75 !! SoftID or Syscon Revision !! Notes
! Address !! Length !! Value !! Description
|-{{cellcolors|lightgrey}}
! rowspan=3 | [[COK-00x#COK-001|COK-001]] !! rowspan=3 | [[CXR713120-201GB]]
| SYS_CON_FIRMWARE_01000004.pkg || {{No}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{No}} || 0B8E || Superseded by SYS_CON_FIRMWARE_01000005.pkg
|-{{cellcolors|lightgrey}}
| SYS_CON_FIRMWARE_01000005.pkg || {{No}} || {{No}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || 0B8E || Superseded by SYS_CON_FIRMWARE_01000006.pkg
|-
|-
| SYS_CON_FIRMWARE_01000006.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0B8E ||
| 0x00 || 0x8 || 0x3 || Header Version?
|-{{cellcolors|lightgrey}}
! rowspan=2 | [[COK-00x#COK-002|COK-002]] || rowspan=2 | [[CXR713120-201GB]]<br />[[CXR713120-202GB]]
| SYS_CON_FIRMWARE_01010302.pkg || {{No}} || {{No}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || 0C16 || Superseded by SYS_CON_FIRMWARE_01010303.pkg
|-
|-
| SYS_CON_FIRMWARE_01010303.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0C16 ||  
| 0x08 || 0x8 || 0x40 || Header Size?
|-
|-
! [[SEM-00x|SEM-001]] || [[CXR713120-201GB]]<br />[[CXR713120-202GB]]<br />[[CXR713120-203GB]]
| 0x10 || 0x8 || 0x0 || Chunk Offset
| SYS_CON_FIRMWARE_01020302.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0D52 ||  
|-
|-
! [[DIA-00x#DIA-001|DIA-001]] || [[CXR714120-301GB]]
| 0x18 || 0x8 || 0x1000 || Chunk Size
| SYS_CON_FIRMWARE_01030302.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0DBF ||  
|-
|-
! [[DIA-00x#DIA-002|DIA-002]] / [[DEB-00x#DEB-001|DEB-001]] || [[CXR714120-301GB]]<br />[[CXR714120-302GB]]
| 0x20 || 0x8 || 0x1 || Current Chunk
| SYS_CON_FIRMWARE_01040402.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0E69 ||  
|-
|-
! ??? || ???
| 0x28 || 0x8 || 0x1 || Chunks Total
| SYS_CON_FIRMWARE_01050002.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0F29 || rowspan=2 | CXR714120-X0XGB / SW-30x Prototype
|-
|-
! ??? || ???
| 0x30 || 0x8 || 0x0 || Reserved_0?
| SYS_CON_FIRMWARE_01050101.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || 0F38
|-
|-
! [[VER-00x|VER-001]] || [[SW-30x]]
| 0x38 || 0x8 || 0x0 || Reserved_1?
| || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 065D ||  
|-
|-
! [[DYN-00x|DYN-001]] || rowspan=4 | [[SW2-30x]]
|}
| SYS_CON_FIRMWARE_S1_00010002083E0832.pkg || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || {{Yes}} || 0832 || rowspan=2 | ps3 2k series
 
== Content ==
{|class="wikitable"
|-
|-
! [[SUR-00x|SUR-001]]
! Address !! Length !! Value !! Description
| || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 08A0
|-
|-
! [[JTP-00x|JTP-001]]<br />[[JSD-00x|JSD-001]]
| || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 08C2 || ps3 2k5 series
|-
|-
! [[KTE-00x|KTE-001]]
| 0x0 || 0x1000 || - || '''Content''' Data
| || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 0918 || ps3 3k series
|-
|-
! [[MSX-00x|MSX-001]]<br />[[MPX-00x|MPX-001]] || [[SW3-30x]]
| || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 098F || ps3 4k series
|}
|}


This means from syscon perspective notible firmware changes where made at 1.30, 1.81, 3.00, 3.40 and 3.41 that affected retail and debug PS3 models
=== Content Data Header ===
*Firmware 1.30 (December 6, 2006) added Backup/Restore
The header format is partially unknown at this stage.
*Firmware 1.81 (June 15, 2007) ?
All the Firmwares patches are written in little endian.
*Firmware 3.00 (September 1, 2009) resulted in Class action suit for BluRay reading problems
*Firmware 3.40 (June 29, 2010) ?
*Firmware 3.41 (July 26, 2010) ?
 
== NonRetail syscon ==
Remember, Debug/DEX consoles are normal retail consoles with different TargetID, so only those that have a nonretail board have deviating patches (like the CXR713F120A found on the [[DECR-1000A]] TOOL/DECR).


Tool/DECR don't have patches, they flash entire firmwares.<br />
Factory cp comes with 0.8.8 (corresponds to syscon fw size 0x60000)<br>
it is VERY likely that it is not possible to go below this point, so any smaller size would likely cause a brick (see [[Talk:Communication_Processor]] for more info on how to downgrade)<br>
DECR samples: [https://mega.co.nz/#!g50S1LRD!g8n1C191ax61YibnLEHJCQ63fT_ye1hA4Dhhrfulfs0] [https://mega.co.nz/#!jgVVCYZC!HaUXkeKFJNbzxAVkbO-Aj5LC2-yriY7rmUWKljlEQ40 mirror]:
v0.6.1c8_TMU510_u.bin  | CRC16:FAE0 | CRC32:590D9A21 | SHA1:DC8AEA0DDC6C5B813FE9861C972AAE111DA6FCAB | MD5:50794942BD9FAB7CC04A81BD8D220BA1 | 7379733103B15C07EC051E9B44D90BDF 07AD575D86B3937CFA8B3D331BE958DDB40EDFBE
v0.6.10c4_TMU510_u.bin | CRC16:B58A | CRC32:DB8A00BF | SHA1:5D52289960151E2543EBEAA805963B7B88C35DD8 | MD5:14C288A576690C587E95C8542EDC2A70 | 7379733160AF70F9CF5DF54F30D5C77C 5F360CD146EEC3A7B5026151C396C4A5F7F1EC91
v0.6.11c4_TMU510_u.bin | CRC16:8A51 | CRC32:289B15F3 | SHA1:D45214E907A104BCC6BC91D78B7B471263AB0699 | MD5:B7CFA6536329F0DFF1AAD7905627F15F | 73797331F283602B666562012850612E 3FABA6E4FE1D70724164A23886199F36A02EDB0D
v0.6.12c5_TMU510_u.bin | CRC16:31B2 | CRC32:1A1F141B | SHA1:403BF55314C4E785ED90D03A8F2E90B67CC235EA | MD5:1B19B55924445E4BBB2D970410AD6366 | 737973316E5C037615E4727464B2D929 2D2EB7DADEF6B24C4E959235E5B11917D352F9D5
v0.6.14c4_TMU510_u.bin | CRC16:FB1B | CRC32:079EF389 | SHA1:6EF7067FAD939D0B0DFC0B9418A6F4C7509104E5 | MD5:11E9F6270A5D79D0B76614B1C6FE622B | 73797331DCEAC9FA0F1B2449F332C4A9 1CBFF6FE43BDCA3B0A5AAFCE9A98D7176D951A49
v0.8.4c8_TMU510_u.bin  | CRC16:2949 | CRC32:81EFA508 | SHA1:5963B333361123782848E3639D9FA585A728691A | MD5:564D5479F5B98E244C1EA7B56BACC873 | 73797331E8A9ADD15036B33AB8E8AB17 FDCC981DA58B9F44E9331C9708C01D924D78DB3E
v0.9.9c1_TMU510_u.bin  | CRC16:172A | CRC32:EBB2D78A | SHA1:D5E693D2E22FD99CF3E330AC442CD9B07D01DB66 | MD5:216B258115F25B13C9969AF35BFCAC20 | 7379733116E6DD5F054442FACFA15A5C 5E62E8FC8059F864A91CAD142BC30BDAE77D9464
v0.9.14c1_TMU510_u.bin | CRC16:2A2C | CRC32:330CB685 | SHA1:30B19BB8B78E60D81848E8FDF6C4A79537CFBE66 | MD5:7AA5BFE64D15F8BD61EB80B999FE4343 | 73797331807BAF3D6E1B6A3CA5FDF30D 7CCE3B0E739A19C9C431D4D8C59CF1513DAF25E9
v1.0.1c1_TMU510_u.bin  | CRC16:3FD1 | CRC32:A7C7E313 | SHA1:F0DCA7130074E023FFAF58EBD06A61EE73C94907 | MD5:C95C57DC20D9AC5473C1EC914744352F | 73797331F362AE579EA3D864E27334CC 3EAB05DEC5328E885EED3295954999BD518ABFDF
v1.0.3c1_TMU510_u.bin  | CRC16:636E | CRC32:32942DFD | SHA1:83BE56F92A93B911D2BBE12DD1F6AF9CCD1EC11B | MD5:642C0E6615AACBF180C367F7927D1E30 | 737973312D08051E9F5AA1AAF2647EC0 44EE5DF74D92DDB81B1099430B0B5A243FFDA44E
v1.0.4c1_TMU510_u.bin  | CRC16:528F | CRC32:A0FBA694 | SHA1:1A5E5F97D66A754C2C7436618DC911C1C57B9FEA | MD5:6641B03FC6193E35380D681152226275 | 73797331E40325B060CDE461D250058D 8AF478F0A1C1B4B9DECA01C8770F8A9010F0A513
v1.0.5c1_TMU510_u.bin  | CRC16:59F8 | CRC32:87316EBF | SHA1:8ED74829973F740C1B825FD976F7926A95ACBE8B | MD5:717DC4187A6E446C30DACAC129090656 | 737973316856FC96CA6FA4D4652D4985 F9E998439D4C23DA9C1BA8F5C44611D826DA1CFE
=== dev/hda ===
dev_hda.image from [[DECR-1000A]] CP: [http://mega/content/secure.html#!shd2VBwI!aElpZXIMqxdAP0hw775sNhmkwJewVXafQvdFUGQ5Lgo dev_hda.image] [https://mega.co.nz/#!y8kWmSqR!4PPNen3bukLWt-EZm_zENT9G8Ey-Fi0YcaLHNey41m0 dev_hda.image.7z]
==== Partitions ====
{| class="wikitable sortable"
{| class="wikitable sortable"
|-
|-
! device file !! size !! type
! Offset !! Length !! Notes !! Related DECR Error !! Notes
|-
|-
| /dev/loop0p1 || 51 MB (50577408 bytes) || 0x89
| 0x0 || 0x4 || Magic || FFFFFED2 (Magic Error) || 0x1B2D700F in mullions, '''sys1''' in cytology ?
|-
|-
| /dev/loop0p2 || 8,7 MB (8650752 bytes) || Linux
| 0x4 || 0x10 || Header CMAC1 || rowspan="6" | FFFFFED1 (Header Check Error) || CMAC of Partial Header (0x10,0x30 size) with header first 4 bytes instead of random 4 bytes<br>and where Header CMAC2 is zeroed Concatenated with Encrypted Body
|-
|-
| /dev/loop0p3 || 32 MB (31981568 bytes) || Linux
| 0x14 || 0x10 || Header CMAC2 || CMAC of Header (where this cmac has been zeroed)
|-
|-
| /dev/loop0p4 || 35 MB (35127296 bytes) || Extended
| 0x24 || 0x4 || Padding ||  
|-
|-
| /dev/loop0 || 4,9 MB (4883968 bytes) || Unassigned
| 0x28 || 0x4 || Total size || Always 0x1000 in mullions, 0x60040 in cytology ?
|-
|-
|}
| 0x2C || 0x4 || Size of binary || Always 0xFC0 in mullions, 0x60000 in cytology ?
 
=== Deviating from Retail ===
Please note that without info about the SKU the listing of ID's is pretty useless
{| class="wikitable sortable"
|-
|-
! sys_con_firmware package !! 1.00-1.30 !! 1.30-1.80 !! 1.81-2.80 !! 3.00-3.30 !! 3.40 !! 3.41-4.11 !! SoftID !! Notes
| 0x30 || 0x10 || IV for AES-128 CBC ||
|-
|-
| ? || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 0B67 || Debug/DEX
| 0x40 || 0xFC0 || Encrypted binary || FFFFFED0 (Data Check Error)<br>FFFFFECF (Data Size Check Error) ||
|-
|-
|}
|}


== Usage ==
* Note: For the weird bogus update ONLY: FFFFFF37 (Alignment Error?) (Trying any data size between 0x41 and 0x4C bytes)
* Note2: v0.6.14c4 is the bogus update (only update with a weird header)
* Note3: setting data between 0x40 to 0x4C to zero in bogus update yields error FFFFFED0


The firmware PUP's contains a collection of patches for all the different hardware revisions of syscon's chips used in different motherboard models.
'''Samples'''
<pre>
00000000  1B 2D 70 0F AB 5E B3 99 68 20 FE 3D E1 80 6A 1D  .-p.«^³™h þ=á€j.
00000010  B8 FD 37 CF CD 45 85 AB 51 F7 05 E3 EA 32 A5 EA  ¸ý7ÏÍE…«Q÷.ãê2¥ê
00000020  67 45 F9 48 00 00 00 00 00 10 00 00 C0 0F 00 00  gEùH........À...
00000030  8B 04 07 F9 9B A2 90 3A 75 89 F1 42 12 59 DA 0D  ‹..ù›¢.:u‰ñB.YÚ.
00000040  21 7C A2 C3 5A E4 78 00 10 8D 4B F7 A2 73 9C 63  !|¢ÃZäx...K÷¢sœc
00000050  5D 8D 5D 49 16 C7 6F 2C AD 33 FE 1F D3 6C A1 CA  ].]I.Ço,.3þ.Ól¡Ê
00000060  BA AD 2B FE 8F 33 71 D7 C5 E6 5C FF BF 77 6C 80  º.+þ.3q×Åæ\ÿ¿wl€
00000070  F2 BE 11 BB 3C 52 52 DC A9 68 E5 24 AD 4F F3 48  ò¾.»<RRÜ©hå$.OóH
</pre>


The ps3swu.self (system updater) decides which applicable [[Syscon Hardware]] is present and installs the needed package update(s) accordingly (via updater manager ss service).
-From v1.0.4c2_TMU510_u-
<pre>
00000000  73 79 73 31 73 47 59 5D  FB 85 3B 7B 4A 28 10 5D  sys1sGY]û…;{J( ]
00000010  46 EE 8C 01 3C B4 F1 82  1E 18 4F B7 4A 56 FC C7  FîŒ <´ñ‚  O·JVüÇ
00000020  FF 83 0B E0 00 00 00 00  40 00 06 00 00 00 06 00  ÿƒ à    @     
00000030  69 B6 02 69 3A 97 8B 1C  4E 18 D4 E0 63 7D CA 94  i¶ i:—‹ N Ôàc}Ê”
00000040  4B A0 79 34 79 41 BD 09  BB 68 D4 0A A0 B7 05 78  K y4yA½ »hÔ  · x
00000050  D9 8F 8F 28 6C 9A 1B 61  CF A1 E7 49 7D CA C4 A3  Ù  (lš aÏ¡çI}ÊÄ£
00000060  A4 4D 4B E0 AE 48 86 03  B1 43 F2 47 C0 C4 1D 4F  ¤MKà®H† ±CòGÀÄ O
00000070  FA E8 43 A7 1E 6E 79 8C  E5 FF 04 20 E9 44 09 B5  úèC§ nyŒåÿ  éD µ
</pre>


Which syscon version and which patches are installed can be seen in [[More_System_Information]]
=== Content Data Patch (encrypted) ===
 
Packages can be extracted with the unpkg tool. Extracted content of the updates appears to always be 0x1000 bytes (4KB).
== Decryption ==
Packages can be decrypted with the unpkg tool. Decrypted content of the updates appears to always be 0x1000 bytes (4KB).
 
=== Patch/Firmware Body Decryption/Hashing ===
 
The following is all theoretical and is intended to discard possibilities about modes of operation used by aes when decrypting body of firmware/patch


The following is all theoretical and is intended to discard possibilities about modes of operation used by aes when decrypting body of firmware/patch<br>
We know that:
We know that:
* Two key expansions are used before applying crypto on body (one probably for hashing. the other for decrypting with cbc)
* Two key expansions are used before applying crypto on body (one probably for hashing. the other for decrypting with cbc)
* Encrypt is used when applying crypto on body TopHalf (forward ttables) and Decrypt is used when applying on body Bottomhalf (inverse ttables)
* Encrypt is used when applying crypto on body TopHalf (forward ttables) and Decrypt is used when applying on body Bottomhalf (inverse ttables)
Line 235: Line 371:
* 4 regions can be controlled for DPA and they are: 0x2790 (size 0x20) (FFs), patch header (most notably at offset 0x4 of header size 0x10 and 0x30 size 0x10), patch body tophalf(+0x40) and patch body bottomhalf(+0x50)
* 4 regions can be controlled for DPA and they are: 0x2790 (size 0x20) (FFs), patch header (most notably at offset 0x4 of header size 0x10 and 0x30 size 0x10), patch body tophalf(+0x40) and patch body bottomhalf(+0x50)
* here are the DPA bytes for each of the controlable sections:
* here are the DPA bytes for each of the controlable sections:
* 21 06 23 DC A2 98 99 4D XX 87 F8 40 FC 48 1C BF (section 2/FF's from 0x2790 on DIA-001)
* 21 06 23 DC A2 98 99 4D XX 87 F8 40 FC 48 1C BF (section 2/FF's from 0x2790 on DIA-001) -> 210623DCA298994DFE87F840FC481CBF 
* 21 06 23 DC A2 98 99 4D XX 87 F8 40 FC 48 1C BF (section 2/FF's from 0x2790 on DEB-001)
* 21 06 23 DC A2 98 99 4D XX 87 F8 40 FC 48 1C BF (section 2/FF's from 0x2790 on DEB-001) -> 210623DCA298994DFE87F840FC481CBF 
* 16 32 47 79 C3 2C 47 D3 2B 39 CA B5 83 41 0E D5 (section 3/header from DIA-001 patch content)
* 16 32 47 79 C3 2C 47 D3 2B 39 CA B5 83 41 0E D5 (section 3/header from DIA-001 patch content)
* 7B FC 27 CD D5 9A 05 09 3A DF E4 75 BF FD 03 1A (section 3/header AA from DEB-001 patch content)
* XX XX XX XX 7B FC 27 CD D5 9A 05 09 3A DF E4 75 (section 3/header AA from DEB-001 patch content) -> 6E9CE7C57BFC27CDD59A05093ADFE475
* 92 4A 87 88 20 59 6C 49 9F 0E 7D 77 2F 38 4C FC (section 3/header DD from DEB-001 patch content)
* 92 4A 87 88 20 59 6C 49 9F 0E 7D 77 2F 38 4C FC (section 3/header DD from DEB-001 patch content)
* 7D C6 3B 3B 69 DF 67 4C 94 D7 D4 A8 E0 F8 5B B2 (section 4/body from DIA-001 patch content/tophalf/forward)
* 7D C6 3B 3B 69 DF 67 4C 94 D7 D4 A8 E0 F8 5B B2 (section 4/body from DIA-001 patch content/tophalf/forward)
* 73 XX F0 3D XX 9A F0 92 4D XX 62 DA XX 48 3C DB (section 4/body from DIA-001 patch content/bottomhalf/inverse)
* 73 XX F0 3D XX 9A F0 92 4D XX 62 DA XX 48 3C DB (section 4/body from DIA-001 patch content/bottomhalf/inverse)
* 49 1F 7B 0A 48 BD 79 33 4E 16 89 F6 B0 25 86 48 (section 4/body from DEB-001 patch content/tophalf/forward)
* 49 1F 7B 0A 48 BD 79 33 4E 16 89 F6 B0 25 86 48 (section 4/body from DEB-001 patch content/tophalf/forward)
* 14 4D F1 D3 21 B6 17 46 60 81 42 E5 02 C9 07 66 (section 4/body from DEB-001 patch content/bottomhalf/inverse/PROPER)
* 14 4D F1 D3 21 B6 17 46 60 81 42 E5 02 C9 07 66 (section 4/body from DEB-001 patch content/bottomhalf/inverse/PROPER) -> 6B3583DA1AA6B49106E1641178EE68C8 (inverse ttables)
* some bytes are considered "weak" bytes and should be bruteforced in the eventuality these keys fail
* some bytes are considered "weak" bytes and should be bruteforced in the eventuality these keys fail
* another possibility is that both the header and the body are hashed and then decrypted, using for example, cmac and cbc
* another possibility is that both the header and the body are hashed and then decrypted, using for example, cmac and cbc
Line 256: Line 392:
* TopHalf is ONLY the very first 0x10 bytes AFTER the header and into the body (corresponding to 0x40 in header size 0x10)
* TopHalf is ONLY the very first 0x10 bytes AFTER the header and into the body (corresponding to 0x40 in header size 0x10)
* BottomHalf is the rest of the body itself.
* BottomHalf is the rest of the body itself.
* DYN-001 processes one entire chunk of 0x1000 bytes, 0x40 for header and 0xFC0 for body, and not two of 0x400 and 0xC00 like the Sony models
* 504 aes operations are done for the body (252/0xFC for cmac and 252/0xFC for cbc). it is unknown if cmac comes first or it is cbc.
* All attacks show weak bytes in comparisson with CXR(F), likely due to CXR being optimized for the attack (removed resistors/capacitors, etc)
= Patch structure (decrypted) =
== Mullion Patch structure ==


== Header ==
{| class="wikitable"
The header format is partially unknown at this stage.
|-
All the Firmwares patches are written in little endian.
! Offset !! Size !! Name !! Number !! Example !! Notes
|-
| 0x00 || 0x2 || Major Version || 1 ||  ||
|-
| 0x02 || 0x2 || Minor Version || 1 ||  ||
|-
| 0x04 || 0x2 || Major Revision || 1 ||  ||
|-
| 0x06 || 0x2 || Minor Revision || 1 ||  ||
|-
| 0x08 || 0x10 || Patch Addresses || 4*4 ||  ||
|-
| 0x18 || 0x10 || Patch Instruction / Data || 4*4 ||  ||
|-
| 0x28 || 0x10 || Patch Jump Instruction Addresses || 4*4 ||  ||
|-
| 0x38 || 0x388 || Additional Patch Instructions || 1 ||  ||
|-
| 0x3C0 || 0xC00 || HDMI Patch || 1 ||  ||
|-
|}
 
== Sherwood Patch structure ==
{| class="wikitable"
|-
! Offset !! Size !! Name !! Number !! Example !! Notes
|-
| 0x00 || 0x4 || Magic || 1 || 0x5D4E246B ||
|-
| 0x04 || 0x2 || Major Version || 1 || 0x0001 || In the output of the UART command ''patchinfo'' is named ''MAJOR''
|-
| 0x06 || 0x2 || Minor Version || 1 || 0x0002 || In the output of the UART command ''patchinfo'' is named ''MINOR''
|-
| 0x08 || 0x2 || Major Revision || 1 || 0x083E || In the output of the UART command ''patchinfo'' is named ''REV'' (patch revision)
|-
| 0x0A || 0x2 || Minor Revision || 1 || 0x0832 || In the output of the UART command ''patchinfo'' is named ''SYS_REV'' (syscon revision)
|-
| 0x0C || 0x4 || Absolute Table Address || 1 || 0x0000201A || In the output of the UART command ''patchinfo'' is named ''TABLE''
|-
| 0x10 || 0x2 || Data Size || 1 || 0x0FAA || In the output of the UART command ''patchinfo'' is named ''DATSIZE''
|-
| 0x12 || 0x2 || Data Checksum || 1 || 0x02AB || In the output of the UART command ''patchinfo'' is named ''DATSUM''
|-
| 0x14 || 0x2 || Patch Checksum || 1 || 0x035D || In the output of the UART command ''patchinfo'' is named ''SUM'' (patch checksum)
|-
| 0x16 || 0x2 || Relative Data Address || 1 || 0x0000 || Not parsed/ignored on SW (only used on SW2/SW3). Relative to the patch start address (0x2000)
|-
| 0x18 || 0x2 || Relative Table Address || 1 || 0x0000 || Not parsed/ignored on SW (only used on SW2/SW3). Relative to the patch start address (0x2000)
|-
| 0x1A || 0x80 || Table || 4*0x20 ||  ||
|-
| 0x9A || 0x6 || Padding || - ||  || Not parsed/ignored on SW (only used on SW2/SW3)
|-
|}
 
= Command list =
 
== Mullion ==
 
=== External commands ===
<!-- Im wondering if there is some easy way to indicate in wiki what means each byte
*Permission
** 0x00008096 = ?
** 0x000080D5 = ?
** 0x000080D6 = ?
** 0x0000809A = ?
** 0x000080DA = ?
** 0x0000C0D5 = ?
** 0x0000C0D7 = ?
** 0x0000C0DF = ?
** 0x0000C0EF = ?
** 0x0000C0FF = ?
-->


{| class="wikitable sortable"
{| class="wikitable sortable"
! Address              !! Command      !! Subcommand  !! Permission 
|-
| 0x32959              || BOOT        || MODE        || 0x000080D6 
|-
| 0x329D5              || BOOT        || CONT        || 0x000080D5 
|-
| 0x342D7              || SHUTDOWN    || -            || 0x0000C0D5 
|-
| 0x32A51              || HALT        || -            || 0x0000C0D5 
|-
| 0x32A85              || BOOTENABLE  || -            || 0x0000809A 
|-
| 0x33491              || AUTH1        || -            || 0x0000C0EF 
|-
| 0x33525              || AUTH2        || -            || 0x0000C0EF 
|-
| 0x33619              || AUTHVER      || SET          || 0x0000C0DF 
|-
| 0x335BF              || AUTHVER      || GET          || 0x0000C0FF 
|-
| 0x32AC3              || EEP          || INIT        || 0x000080DA 
|-
| 0x32C51              || EEP          || SET          || 0x0000C0DF 
|-
| 0x32D3D              || EEP          || GET          || 0x0000C0DF 
|-
| 0x32EA7              || PDAREA      || SET          || 0x0000C0DF 
|-
| 0x32E3B              || PDAREA      || GET          || 0x0000C0DF 
|-
| 0x330C5              || CSAREA      || SET          || 0x0000C0DF 
|-
| 0x33057              || CSAREA      || GET          || 0x0000C0DF 
|-
| 0x33169              || VID          || GET          || 0x0000C0D5 
|-
| 0x331D7              || CID          || GET          || 0x0000C0D5 
|-
| 0x3321D              || ECID        || GET          || 0x0000C0D5 
|-
| 0x3325D              || REV          || SB          || 0x0000C0D5 
|-
| 0x3328D              || SPU          || INFO        || 0x0000C0D5 
|-
| 0x332E1              || KSV          || -            || 0x0000C0D5 
|-
| 0x33685              || FAN          || SETPOLICY    || 0x0000C0D7 
|-
| 0x33717              || FAN          || GETPOLICY    || 0x0000C0D7 
|-
| 0x33781              || FAN          || START        || 0x0000C0D7 
|-
| 0x33781              || FAN          || STOP        || 0x0000C0D7 
|-
| 0x33951              || FAN          || SETDUTY      || 0x0000C0D7 
|-
| 0x339C3              || FAN          || GETDUTY      || 0x0000C0D7 
|-
| 0x33A27              || R8          || -            || 0x0000C0DF 
|-
| 0x33AD1              || W8          || -            || 0x0000C0DF 
|-
| 0x33B71              || R16          || -            || 0x0000C0DF 
|-
| 0x33C19              || W16          || -            || 0x0000C0DF 
|-
| 0x33CBB              || R32          || -            || 0x0000C0DF 
|-
| 0x33E49              || W32          || -            || 0x0000C0DF 
|-
| 0x33EE9              || RBE          || -            || 0x0000C0D5 
|-
|-
! Offset !! Length !! Notes !! Related DECR Error !! Notes
| 0x33F91              || WBE          || -            || 0x0000C0D5 
|-
|-
| 0x0 || 0x4 || Magic || FFFFFED2 (Magic Error) ||
| 0x34049              || PORTSTAT    || -            || 0x0000C0DF 
|-
|-
| 0x4 || 0x10 || Header CMAC1 || FFFFFED1 (Header Check Error) || CMAC of Partial Header (0x10,0x30 size) with header first 4 bytes instead of random 4 bytes and where Header CMAC2 is zeroed Concatenated with Encrypted Body
| 0x332BF              || VER          || -            || 0x0000C0FF  
|-
|-
| 0x14 || 0x10 || Header CMAC2 || FFFFFED1 (Header Check Error) || CMAC of Header (where this cmac has been zeroed)
| 0x341C5              || BUZ          || -            || 0x00008096 
|-
|-
| 0x24 || 0x4 || Padding || FFFFFED1 (Header Check Error) ||
| 0x342D7              || SERVFAN      || -            || 0x0000C0D7 
|-
|-
| 0x28 || 0x4 || Total size || FFFFFED1 (Header Check Error) ||
| 0x341F9              || ERRLOG      || START        || 0x0000C0DF 
|-
|-
| 0x2c || 0x4 || Size of binary || FFFFFED1 (Header Check Error) ||
| 0x34221              || ERRLOG      || STOP        || 0x0000C0DF 
|-
|-
| 0x30 || 0x10 || IV for AES-128 CBC || FFFFFED1 (Header Check Error) ||  
| 0x34249              || ERRLOG      || GET          || 0x0000C0FF 
|-
|-
| 0x40 || 0xfc0 || Encrypted binary || FFFFFED0 (Data Check Error) / FFFFFECF (Data Size Check Error) ||
| 0x342B3              || ERRLOG      || CLEAR        || 0x0000C0DF 
|-
|-
|}
|}


* Note: For the weird bogus update ONLY: FFFFFF37 (Alignment Error?) (Trying any data size between 0x41 and 0x4C bytes)
=== Internal commands ===
* Note2: v0.6.14c4 is the bogus update (only update with a weird header)
{| class="wikitable sortable"
* Note3: setting data between 0x40 to 0x4C to zero in bogus update yields error FFFFFED0
|-
 
! Command !! Address !! Perms !! SubCommands !! Description
=== Samples ===
|-
|becount || 0xCA7D || 0xDD0C0000|| - || Display bringup/shutdown count + Power-on time
|-
|bepgoff || 0xA4E7 || 0xD00C0000|| - || BE power grid off
|-
|bepkt ||  0x2435D ||  0xDC0C0000 || show/set/unset/mode/debug/help || Packet permissions
|-
|bestat ||  0xD413 || 0xFD0F0000|| - || Get status of BE
|-
|boardconfig ||    0x99C7 || 0xDC0C0000|| - || Displays board configuration (NOT WORKING?)
|-
|bootbeep || 0x1EA67 ||  0xF0000000 || stat/on/off ||  Boot beep
|-
|bringup || 0xD597 || 0xFD0F0000|| - || Turn PS3 on
|-
|bsn || 0xD805 || 0xF00F0000|| - || Get board serial number
|-
|bstatus || 0x24269 ||  0xDD0C0000|| - || HDMI related status
|-
|buzz ||    0xA4FF || 0xDC0C0000 || [freq] || Activate buzzer
|-
|buzzpattern ||    0xA8B7 || 0xDC0C0000 || [freq] [pattern] [count] || Buzzer pattern
|-
|clear_err || 0x2595B ||  0xDD0C0000 || last/eeprom/all ||  Clear errors
|-
|clearerrlog ||    0xB8CB || 0xDD0C0000|| - || Clears error log
|-
|comm ||    0x9919 || 0xDC0C0000|| - || Communication mode
|-
|commt ||  0x24907 ||  0xDC0C0000 || help/start/stop/send ||  Manual BE communication
|-
|cp || 0x1E077 ||  0xF0000000 || ready/busy/reset/beepremote/beep2kn1n3/beep2kn2n3 || CP control commands
|-
|csum ||    0xD687 || 0xFF0F0000|| - || Firmware checksum
|-
|devpm ||  0xD053 || 0xDD0C0000 || ata/pci/pciex/rsx || Device power management
|-
|diag ||    0x9AAD || 0xD00C0000 || ... || Diag (execute without param to show help) (NOT WORKING?)
|-
|disp_err ||0x25911 ||  0xDD0C0000|| - || Displays errors
|-
|duty ||    0x9B23 || 0xDD0C0000 || get/getmin/getmax/getinimin/getinimax<br>set/setmin/setmax/setinimin/setinimax ||  Fan speed
<pre>
Usage: duty get fanconNo
    ex. duty get 1
</pre>
|-
|dve || 0x2995D ||  0xDC0C0000 || help/set/save/show || DVE chip parameters
|-
|eepcsum || 0xAA65 || 0xDD0C0000|| - || Displays checksums of some eeprom areas
|-
|eepromcheck ||    0x9A1D || 0x000C0000 || [id] || Check eeprom
|-
|eeprominit || 0x9A65 || 0x000C0000 || [id] || Init eeprom
|-
|ejectsw || 0xD611 || 0xFD0F0000|| - || Eject switch
|-
|errlog ||  0xB7ED || 0xFF0C0000|| - || Gets the error log
|-
|fancon ||  0xD26D || 0x0D000000|| - || Does nothing
|-
|fanconautotype || 0xC075 || 0xDD0C0000|| - || Does nothing
|-
|fanconmode || 0xBF35 || 0xDD0C0000 || get || Fan control mode (0=Full, 1=VaryTable & VaryServo, 2=Manual, 3=Minimun)
<pre>
Usage: fanconmode get fanconNo
    ex. fanconmode get 1
</pre>
|-
|fanconpolicy ||  0xBBC9 || 0xDD0C0000 || get/set/getini/setini || Fan control policy (0=Full, 1=Auto, 2=Manual)
<pre>
Usage: fanconpolicy get fanconNo
    ex. fanconpolicy get 1
</pre>
|-
|fandiag || 0x1E91B ||  0xF0000000|| - || Fan Diagnostic (test)
|-
|faninictrl || 0xD3D9 || 0x0D000000|| - || Does nothing
|-
|fanpol ||  0xCA31 || 0xDD0C0000|| - || Does nothing
|-
|fanservo || 0xBF29 || 0xDD0C0000|| - || Does nothing
|-
|fantbl ||  0xC087 || 0xDD0C0000 || get/set/getini/setini/gettable/settable/getselect/setselect ||  Fan table: get/set - currently in RAM/in use ; getini/setini - stored in EEPROM (!! in COK the chksum does not updated automatically !!)
<pre>
Usage: fantbl set fanconNo pNo tempD tempU duty
    ex. fantbl set 0 p1 0x1400 0x1E40 0xC0
    ex. fantbl set 0 p1 20.0 30.25 75
Usage: fantbl get fanconNo
    ex. fantbl get 1
</pre>
|-
|firmud ||  0xD61D || 0xFDFF0000|| - || Firmware update
|-
|geterrlog || 0xB84F || 0xDD0C0000 || [id] || Gets error log
|-
|getrtc ||  0xA6F3 || 0xDD0C0000|| - || Gets rtc
|-
|halt ||    0x1E107 ||  0xF0000000|| - || Halts syscon
|-
|hdmi ||    0x29F39 ||  0xDD0C0000 || ... ||  HDMI (various commands, use help)
<pre>
[HDMI Help] HDMI System Start        :$ hdmi setup ([ChannelNo])
[HDMI Help] Show IC Type              :$ hdmi ictype [ChannelNo]
[HDMI Help] Display EDID              :$ hdmi redid  [ChannelNo] (p)
[HDMI Help] Display KSV              :$ hdmi rksv  [ChannelNo]
[HDMI Help] SiI Register Read        :$ hdmi r  [ChannelNo] [TargetDevID(0/1)] [OffsetAddr(hex)] [ReadSize(hex)]
[HDMI Help] SiI Register Write        :$ hdmi w  [ChannelNo] [TargetDevID(0/1)] [OffsetAddr(hex)] [WriteData(hex)]
[HDMI Help] Set 12bit Param          :$ hdmi 12bit  [ChannelNo] (d1:0 - d5:4)
[HDMI Help] Set 10bit Param          :$ hdmi 10bit  [ChannelNo] (d1:0 - d5:4)
[HDMI Help] DDC Bus Read              :$ hdmi dr [ChannelNo] [TargetDevID(0/1)] [OffsetAddr(hex)] [ReadSize(hex)]
[HDMI Help] DDC Bus Write            :$ hdmi dw [OffsetAddr(hex)] [WriteData(hex)]
[HDMI Help] Show Channel Status      :$ hdmi chstat  [ChannelNo]
[HDMI Help] Debug Log Verbose        :$ hdmi vbs ([Verbose Setting(hex)])
[HDMI Help] HDMI System Shutdown      :$ hdmi letup ([ChannelNo])
[HDMI Help] HDMI Eleguler Test        :$ hdmi hwreset ([ChannelNo])
[HDMI Help] HDMI Eleguler Test KPL    :$ hdmi hwreset2 ([ChannelNo])
[HDMI Help] HDMI Manage Struct Dump  :$ hdmi dumpst ([ChannelNo])
[HDMI Help] Show HDMI and DVE Port Num:$ hdmi ports
[HDMI Help] Show Timer Value          :$ hdmi timer
[HDMI Help] Show I2C Resource        :$ hdmi i2c
[HDMI Help] Show Patch Information    :$ hdmi patch
[HDMI Help] Resolution Reset          :$ hdmi resrst [ChannelNo]
[HDMI Help] Show this Message        :$ hdmi help
</pre>
|-
|hdmiid ||  0x29D1D ||  0xDC0F0000|| - || Get HDMI id's
|-
|hdmiid2 || 0x29D81 ||  0xDC0F0000|| - || Get HDMI id's
|-
|hversion || 0x2422F ||  0xDD0C0000|| - || Displays [[Platform ID]]
|-
|hyst ||    0xAEF5 || 0xDD0C0000 || get/set/getini/setini || This value is stored inside the Thermal Config area, every thermal sensor has their own. See: [https://en.wikipedia.org/wiki/Hysteresis#Control_systems Hysteresis]
<pre>
Usage: hyst set TZoneNo temp
    ex. hyst set 1 0x0200
    ex. hyst set 1 2.0
Usage: hyst get TZoneNo
    ex. hyst get 14
</pre>
|-
|lasterrlog || 0xB7FF || 0xDD0C0000|| - || Last error from log
|-
|ledmode || 0xA80B || 0xDC0C0000 || [id] [id] ||  Get led mode
|-
|LS || 0x2421B ||  0xDD0C0000|| - || LabStation Mode
|-
|ltstest || 0xCB97 || 0xDD0C0000 || get/set be/rsx ||  ?Temp related? values
|-
|osbo ||    0x1EA3F ||  0xF0000000|| - || Sets 0x2000F60
|-
|patchcsum ||  0xD9F7 || 0xDD0C0000|| - || Patch checksum
|-
|patchvereep ||    0xD9B1 || 0xDD0C0000|| - || Patch version eeprom
|-
|patchverram ||    0xD965 || 0xDD0C0000|| - || Patch version ram
|-
|poll ||    0x240E3 ||  0xDD0C0000|| - || Poll log
|-
|portscan || 0xDA0D || 0xDD0C0000 || [port] || Scan port (NOT WORKING?)
|-
|powbtnmode || 0xB911 || 0xDC0C0000 || [mode (0/1)] || Power button mode
|-
|powerstate || 0xCE6F || 0xDD0C0000|| - || Get power state
|-
|powersw || 0xD5F9 || 0xFD0F0000|| - || Power switch
|-
|powupcause || 0xB621 || 0xDD0C0000|| - || Power up cause
|-
|printmode || 0x99D9 || 0xDC0C0000 || [mode (0/1/2/3)] || Set printmode
|-
|printpatch || 0xD94F || 0xDD0C0000|| - || Prints patch
|-
|r || 0x8CA5 || 0xDD0C0000 || [offset] [length] ||  Read byte from SC
|-
|r16 || 0x8ED5 || 0xDD0C0000 || [offset] [length] ||  Read word from SC
|-
|r32 || 0x9191 || 0xDD0C0000 || [offset] [length] ||  Read dword from SC
|-
|r64 || 0x935D || 0xDD0C0000 || [offset] [length] || Read qword from SC
|-
|r64d ||    0x948F || 0xDD0C0000 || [offset] [length] ||  Read ?qword data? from SC
|-
|rbe || 0x96F9 || 0xDD0C0000 || [offset] ||  Read from BE
|-
|recv ||    0x24135 ||  0xDD0C0000|| - || Receive something
|-
|resetsw || 0xD605 || 0xFC0F0000|| - || Reset switch
|-
|restartlogerrtoeep ||  0xB903 || 0xDD0C0000|| - || Reenable error logging to eeprom
|-
|revision || 0xD7E1 || 0xFFFF0000|| - || Get [[More_System_Information|SoftID]]
|-
|rrsxc ||  0xD313 || 0xDD0C0000 || [offset] [length] || Read from RSX
|-
|rtcreset ||  0xA7BB || 0x000C0000|| - || Reset RTC
|-
|scagv2 ||  0xE24F || 0xFF000000|| - || Auth related?
|-
|scasv2 ||  0xE207 || 0xDD000000|| - || Auth related?
|-
|scclose || 0xE1EF || 0xFF000000|| - || Auth related?
|-
|scopen ||  0xE121 || 0xFF000000|| - || Auth related?
|-
|send ||    0x2416F ||  0xDD0C0000 || [variable] || Send something
|-
|shutdown ||0xD5C5 || 0xFD0F0000|| - || PS3 shutdown
|-
|startlogerrtsk || 0xB8E7 || 0xDD0C0000|| - || Start error log task
|-
|stoplogerrtoeep ||  0xB8F5 || 0xDD0C0000|| - || Stop error logging to eeprom
|-
|stoplogerrtsk ||  0xB8D9 || 0xDD0C0000|| - || Stop error log task
|-
|syspowdown ||0xB6E9 || 0xDD0C0000 || 3 params || System power down
|-
|task ||    0x15005 ||  0xDD0C0000|| - || Print tasks
|-
|thalttest || 0xD813 || 0x000F0000|| - || Thermal Alert Test ? (boes nothing), maybe is needed to do it while GameOS is working to trigger the XMB overheat warning message and the power off sequence
|-
|thermfatalmode || 0xCA3B || 0xDD0C0000 || canboot/cannotboot || Set boot mode after a thermal alert ?
|-
|therrclr || 0xD3E5 || 0xDD0C0000|| - || Clears the thermal alert register ?
|-
|thrm ||    0xBF1D || 0xDD0C0000|| - || Does nothing
|-
|tmp ||0xAA69 || 0xDD0C0000 || [tzone] ||  Get temperature
<pre>
Usage: tmp TZoneNo
    ex. tmp 1
</pre>
|-
|trace ||  0xB951 || 0xDD0C0000 || ... ||  Trace tasks (use help)
<pre>
Usage: trace command param
    command:
      [status/start/stop/dump/print/id]
    param (with `id' command):
      available characters: [0-9][,][-]
      ex. trace id 1-12,16
</pre>
|-
|trp ||0xAB2F || 0xDD0C0000 || get/set/getini/setini || This value is stored inside the Thermal Config area, every thermal sensor has their own<!-- Transient Receptor Potential ? https://en.wikipedia.org/wiki/Thermosensation -->
<pre>
Usage: trp set TZoneNo temp
    ex. trp set 2 0x5980
    ex. trp set 2 89.5
Usage: trp get TZoneNo
    ex. trp get 14
</pre>
|-
|tsensor || 0xA279 || 0xDD0C0000 || [tzone] ||  Get raw temperature
<pre>
Usage: tsensor TZoneNo
    ex. tsensor 2
</pre>
|-
|tshutdown || 0xB2A1 || 0xDD0C0000 || get/set/getini/setini || Thermal shutdown. This value is stored inside the Thermal Config area, every thermal sensor has their own
<pre>
<pre>
00000000 1B 2D 70 0F AB 5E B3 99 68 20 FE 3D E1 80 6A 1D  .-p.«^³™h þ=á€j.
  Usage: tshutdown set TZoneNo temp
00000010  B8 FD 37 CF CD 45 85 AB 51 F7 05 E3 EA 32 A5 EA  ¸ý7ÏÍE…«Q÷.ãê2¥ê
    ex. tshutdown set 2 0x5A80
00000020  67 45 F9 48 00 00 00 00 00 10 00 00 C0 0F 00 00  gEùH........À...
    ex. tshutdown set 2 90.5
00000030  8B 04 07 F9 9B A2 90 3A 75 89 F1 42 12 59 DA 0D ‹..ù›¢.:u‰ñB.YÚ.
  Usage: tshutdown get TZoneNo
00000040  21 7C A2 C3 5A E4 78 00 10 8D 4B F7 A2 73 9C 63  !|¢ÃZäx...K÷¢sœc
    ex. tshutdown get 14
00000050  5D 8D 5D 49 16 C7 6F 2C AD 33 FE 1F D3 6C A1 CA  ].]I.Ço,.3þ.Ól¡Ê
00000060  BA AD 2B FE 8F 33 71 D7 C5 E6 5C FF BF 77 6C 80  º.+þ.3q×Åæ\ÿ¿wl€
00000070  F2 BE 11 BB 3C 52 52 DC A9 68 E5 24 AD 4F F3 48  ò¾.»<RRÜ©hå$.OóH
</pre>
</pre>
|-
|tshutdowntime ||  0xC95D || 0xDD0C0000 || get ||  Thermal shutdown time. This value is stored inside the Thermal Config area, is a single value shared by all thermal sensors
|-
|tzone ||  0xB5E1 || 0xDD0C0000|| - || Shows a list of the "TZone" identifyers associated with every thermal sensor, and a short text description of them
<pre>
Example, on cytology PS3 models
> tzone
00: 1st BE Primary
01: RSX Primary
02: XDR Primary
0A: Air Intake
0F: GbE
14: SB
Example, on cookie old
> tzone
00: 1st BE Primary
01: RSX Primary
03: BE VR
14: SB
15: EE+GS
Example, on cookie new
> tzone
00: 1st BE Primary
01: RSX Primary
14: SB
Example, on sherwood
> tzone
# 00:1st BE Primary
# 01:RSX Primary


-From v1.0.4c2_TMU510_u-
<pre>
00000000  73 79 73 31 73 47 59 5D  FB 85 3B 7B 4A 28 10 5D  sys1sGY]û…;{J( ]
00000010  46 EE 8C 01 3C B4 F1 82  1E 18 4F B7 4A 56 FC C7  FîŒ <´ñ‚  O·JVüÇ
00000020  FF 83 0B E0 00 00 00 00  40 00 06 00 00 00 06 00  ÿƒ à    @     
00000030  69 B6 02 69 3A 97 8B 1C  4E 18 D4 E0 63 7D CA 94  i¶ i:—‹ N Ôàc}Ê”
00000040  4B A0 79 34 79 41 BD 09  BB 68 D4 0A A0 B7 05 78  K y4yA½ »hÔ  · x
00000050  D9 8F 8F 28 6C 9A 1B 61  CF A1 E7 49 7D CA C4 A3  Ù  (lš aÏ¡çI}ÊÄ£
00000060  A4 4D 4B E0 AE 48 86 03  B1 43 F2 47 C0 C4 1D 4F  ¤MKà®H† ±CòGÀÄ O
00000070  FA E8 43 A7 1E 6E 79 8C  E5 FF 04 20 E9 44 09 B5  úèC§ nyŒåÿ  éD µ
</pre>
</pre>
|-
|version || 0xD65F || 0xFFFF0000|| - || Syscon firmware version
|-
|w ||0x8BF9 || 0xDD0C0000 || [offset] [value] ||  Write byte to SC
|-
|w16 ||0x8E2D || 0xDD0C0000 || [offset] [value] ||  Write word to SC
|-
|w32 ||0x8FED || 0xDD0C0000 || [offset] [value] ||  Write dword to SC
|-
|w64 ||0x92A9 || 0xDD0C0000 || [offset] [value] ||  Write qword to SC
|-
|wbe ||0x9665 || 0xDD0C0000 || [offset] [value] ||  Write to BE
|-
|wmmto ||  0xCB3B || 0xDC0C0000 || get ||  Get watch dog timeout
|-
|wrsxc ||  0xD279 || 0xDD0C0000 || [offset] [value] ||  Write to RSX
|-
|xdrdiag || 0x1E711 ||  0xF0000000 || start/info/result || XDR diagnostics
|-
|xiodiag || 0x1E875 ||  0xF0000000|| - || XIO diagnostic
|-
|xrcv ||    0x25313 ||  0xDC0C0000|| - || Xmodem receive
|-
|}
== Sherwood ==
*Permission
** 0x0700 = A_AUTH
** 0x0B00 = B_AUTH
** 0x0300 = INT (Command not available from UART interface. Can be unlocked by patching syscon firmware)
** 0x0F00 = ANY


=== Observations ===
{| class="wikitable sortable" style="line-height:110%"
* The first 4 bytes (0x1B2D700F) appear static in each package.
|+Sherwood Commands
* The next 0x20 bytes appear to change with each package
! rowspan="2" | Command<br>lowercase/UPPERCASE !! rowspan="2" | <abbr title="Permission">Perms</abbr> !! colspan="3" | Address !! rowspan="2" | Notes
* The following 12 bytes (0x0000000000100000C00F0000) also appear static, but it's the firmware size and fw size - header size; infact if correctly converted to little endian 00000000 00001000 00000fc0, where 00000000 is Unknown, 00001000 is 4096 in dec (file size) and 00000fc0 is 4032 in dec (update size).
|-
* On the DECH fw, the update works in the same way: 000000004000060000000600 converted will be: 00000000 00060040 00060000, where, 00000000 is probably padding, file size 00060040, 00060000 update size
! SW-301 !! SW2-301 !! SW3-304
* the first 0x40 bytes probably are IV + HASH + update infos. probably the algorithm used is AES.
|-
* algorithm used is aes 128 cbc on the body (iv is at + 0x30)
| hdmi            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x32030 || 0x3D989 || 0x3E21D ||
|-                                               
| tsensor        || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2FB30 || 0x3B1CF || 0x3B8F0 ||
|-                                               
| tmp            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2FE7F || 0x3B3D5 || 0x3BAF6 ||
|-                                               
| trp            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2FFA6 || 0x3B627 || 0x3BD48 ||
|-                                               
| tshutdown      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x301D8 || 0x3B645 || 0x3BD66 ||
|-                                               
| tzone          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x3041B || 0x3B663 || 0x3BD84 ||
|-                                               
| thrm            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x30482 || 0x3B6C9 || 0x3BDEA ||
|-                                               
| duty            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x307EF || 0x3B95D || 0x3C07E ||
|-                                               
| fanconpolicy    || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x30C0D || 0x3BBB9 || 0x3C2DA ||
|-                                               
| fanconmode      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x30DF9 || 0x3BD48 || 0x3C469 ||
|-                                               
| fantbl          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x30F3B || 0x3BE58 || 0x3C579 ||
|-                                               
| fanservo        || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || {{cellcolors|lightgrey}} N/A ? || 0x3C07D || 0x3C79E ||
|-                                               
| fanservostat    || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || {{cellcolors|lightgrey}} N/A ? || 0x3C2E2 || 0x3CA03 ||
|-                                               
| fanservosetval  || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || {{cellcolors|lightgrey}} N/A ? || {{cellcolors|lightgrey}} N/A ? || 0x3CB6B ||
|-                                               
| hyst            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x305F2 || 0x3B7F0 || 0x3BF11 ||
|-                                               
| powupcause      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x313EB || 0x3C695 || 0x3CE8E ||
|-                                               
| syspowdown      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x31460 || 0x3C70A || 0x3CF03 ||
|-                                               
| devpm          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x316C6 || 0x3C98A || 0x3D183 ||
|-                                               
| powerstate      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x318CF || 0x3CB93 || 0x3D38C ||
|-                                               
| nonfatalerror  || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x31AC2 || 0x3CDF0 || 0x3D5E9 ||
|-                                               
| getrtc          || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x2F82A || 0x3AD68 || 0x3B489 ||
|-                                               
| help            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2ED2B || 0x3A280 || 0x3A9A1 ||
|-                                               
| meminfo        || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x2EED7 || 0x3A42C || 0x3AB4D ||
|-                                               
| rbe            || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x2EF63 || 0x3A4B8 || 0x3ABD9 ||
|-                                               
| DISABLEALLERASE || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2F1FC || 0x3A751 || 0x3AE72 ||
|-                                               
| task            || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x2F281 || 0x3A7D6 || 0x3AEF7 ||
|-                                               
| cleareep        || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x2F460 || 0x3A99E || 0x3B0BF ||
|-                                               
| commt          || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x2F499 || 0x3A9D7 || 0x3B0F8 ||
|-                                                
| bestat          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2F79B || 0x3ACD9 || 0x3B3FA ||
|-                                               
| bringup / BOOT  || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2DAC3 || 0x39018 || 0x39739 ||
|-                                               
| shutdown / HALT || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2DC1C || 0x39171 || 0x39892 ||
|-                                               
| r / R8<br>r16 / R16<br>r32 / R32          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2DC9B || 0x391F0 || 0x39911 ||
|-                                               
| r64<br>r64d    || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2E7BC || 0x39D11 || 0x3A432 ||
|-                                               
| w / W8<br>w16 / W16<br>w32 / W32          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2E03B || 0x39590 || 0x39CB1 ||
|-                                               
| w64<br>wbe      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2E6C1 || 0x39C16 || 0x3A337 ||
|-                                               
| BOOTENABLE      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2DC7B || 0x391D0 || 0x398F1 ||
|-                                               
| EEP            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2E8C2 || 0x39E17 || 0x3A538 ||
|-                                               
| PDAREA<br>CSAREA          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2E9B8 || 0x39F0D || 0x3A62E ||
|-                                               
| portset        || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x2EC36 || 0x3A18B || 0x3A8AC ||
|-                                               
| extend          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2ECF9 || 0x3A24E || 0x3A96F ||
|-                                               
| version        || {{cellcolors|#ddddff}} <abbr title="0x0F00">ANY</abbr> || 0x080D0  || 0x0A0F1  || 0x0A0FF  ||
|-                                               
| revision        || {{cellcolors|#ddddff}} <abbr title="0x0F00">ANY</abbr> || 0x0812B  || 0x0A14C  || 0x0A15A  ||
|-                                               
| setcmdlong / SETCMDLONG || {{cellcolors|#ddddff}} <abbr title="0x0F00">ANY</abbr> || 0x08251  || 0x0A272  || 0x0A280  ||
|-                                               
| VER            || {{cellcolors|#ddddff}} <abbr title="0x0F00">ANY</abbr> || 0x081C3  || 0x0A1E4  || 0x0A1F2  ||
|-                                               
| csum            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x08356  || 0x0A37B  || 0x0A389  ||
|-                                               
| AUTH1<br>AUTH2  || {{cellcolors|#ffffcc}} <abbr title="0x0B00">B_AUTH</abbr> || 0x08555  || 0x0A5AF  || 0x0A5BD  ||
|-                                               
| AUTHVER        || {{cellcolors|#ddddff}} <abbr title="0x0F00">ANY</abbr> || 0x086FB  || 0x0A755  || 0x0A763  ||
|-                                               
| errlog / ERRLOG || {{cellcolors|#ddddff}} <abbr title="0x0F00">ANY</abbr> || 0x311DA || 0x3C484 || 0x3CC7D ||
|-                                               
| powersw        || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x31C87 || 0x3D005 || 0x3D7FE ||
|-                                               
| ejectsw        || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x31CA5 || 0x3D023 || 0x3D81C ||
|-                                               
| doorsw          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || {{cellcolors|lightgrey}} N/A ? || {{cellcolors|lightgrey}} N/A ? || 0x3D83C ||
|-                                               
| buzzduty        || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x31CC5 || 0x3D043 || 0x3D8D7 ||
|-                                               
| buzz            || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x31D24 || 0x3D0A2 || 0x3D936 ||
|-                                               
| VID            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x33F98 || 0x3FC43 || 0x404D8 ||
|-                                               
| CID<br>ECID            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x340BF || 0x3FD6A || 0x405FF ||
|-                                               
| SPU            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x34211 || 0x3FEBC || 0x40751 ||
|-                                               
| REV            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x342BC || 0x3FF67 || 0x407FC ||
|-                                               
| KSV            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x34363 || 0x4000E || 0x408A3 ||
|-                                               
| MOUNTINFO      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || {{cellcolors|lightgrey}} N/A ? || {{cellcolors|lightgrey}} N/A ? || 0x4095B ||
|-                                               
| portscan        || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x3441B || 0x400C6 || 0x40A2A ||
|-                                               
| eepcsum        || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x33F46 || 0x3FBF1 || 0x40486 ||
|-                                               
| patchinfo      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x346DD || 0x40388 || 0x40CF2 ||
|-                                               
| poll            || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x346F3 || 0x4039E || 0x40D08 ||
|-                                               
| recv            || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x3470F || 0x403BA || 0x40D24 ||
|-                                               
| send            || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x3472B || 0x403D6 || 0x40D40 ||
|-                                               
| LS              || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x34747 || 0x403F2 || 0x40D5C ||
|-                                               
| hversion        || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x34763 || 0x4040E || 0x40D78 ||
|}


== Access to Syscon from Linux ==
= Access to Syscon from Linux =
Access SysCon ROM without needing ps3dm-utils: http://wiki.gitbrew.org/wikibrew/PS3:HvReverseEngineering#SYSCON
Access SysCon ROM without needing ps3dm-utils: http://wiki.gitbrew.org/wikibrew/PS3:HvReverseEngineering#SYSCON


== List of Soft IDs in Decimal Form ==
= Placeholder for bga patch key generation =
 
<pre>
34 3A 00 00 00 00 5F 5F 53 43 45 49 53 59 53 31
</pre>
 
<pre>
<pre>
2958
4:....__SCEISYS1
3094
3410
3519
3689
3881
3896
</pre>
</pre>


== Placeholder for bga patch key generation ==
OR (slim DYN-001)


<pre>
<pre>
34 3A 00 00 00 00 5F 5F 53 43 45 49 53 59 53 31
00 00 00 00 5F 5F 5F 5F 53 43 45 49 53 59 53 31
</pre>
</pre>


<pre>
<pre>
4:....__SCEISYS1
....____SCEISYS1
</pre>
</pre>


Line 347: Line 1,073:
* replace 4 dots with soft id in decimal form, xor with 0x140 key and with hasher patcher key and encrypt with master patcher key to obtain hasher master key for that soft id
* replace 4 dots with soft id in decimal form, xor with 0x140 key and with hasher patcher key and encrypt with master patcher key to obtain hasher master key for that soft id


= PTCH Firmware TOC =
{| class="wikitable"
|-
!Offset!!Size!!Notes
|-
| 0x00 | 0x2 | Major Version
|-
| 0x02 | 0x2 | Minor Version
|-
| 0x04 | 0x2 | Major Revision
|-
| 0x06 | 0x2 | Minor Revision
|-
|}
{{Custom Firmware}}<noinclude>[[Category:Main]]</noinclude>
{{Custom Firmware}}<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 08:30, 22 June 2024

Description[edit | edit source]

The Syscon firmware (also known as system controller firmware) is the software stored inside syscon. Composed by the base firmware (not updateable in retail syscon models) and a optional patch that is applyed virtually on runtime on top of the base firmware
The syscon patches (also known as system controller update packages) for retail PS3 models are distributed in PKG format inside the Update_files.tar of the PS3UPDAT.PUPs. Syscon patches appear to always be 5KB (5376 bytes) in size.

Update procedure[edit | edit source]

The PS3 firmware installer PUP's contains a collection of syscon patches for all the different syscon's chips used in the different motherboard models. The ps3swu.self (system updater) checks the syscon SoftID and installs the compatible patch accordingly (via updater manager ss service).
The non-retail PS3 models with syscon CXR713F120A don't have patches, this special syscon model with the "F" product code (that seems to indicate that is fully flasheable) allows to overwrite the base syscon firmware through the Communication Processor

Syscon firmwares[edit | edit source]

Mullion
SoftID Firmware version Build target Build date Adds support for Platform IDs Corresponding SDK / CP versions Notes
- v0.4.5_b4 BACKUP 2005 (Cyt1.0), (Cyt1.1), (Cyt2.1), (Cok01) 0.40 Only used on the backup bank of flash models
06DA v0.6.1_c8 CYTOLOGY 2006/01/31 Cyt1.2, Cyt2.0, Cyt2.2, (Cok02), (Cok03) 0.80 / 0.3.2
073E v0.6.10_c4 CYTOLOGY 2006/03/01 (Cok05) 0.81 / 0.4.3/0.4.7
07FF v0.6.11_c4 CYTOLOGY 2006/03/27 Cyt3.0, Cyt3.1, Cyt3.2, (Cok08) 0.82 / 0.5.3
086C v0.6.12_c5 CYTOLOGY 2006/04/11 - 0.83 / 0.6.4/0.6.5/0.6.7
08F1 v0.6.12_c7 CYTOLOGY 2006/04/22 - 0.83
0955 v0.6.14_c4 CYTOLOGY 2006/05/01 - 0.84 / 0.7.1
0AF4 v0.8.4_c8 CYTOLOGY 2006/06/23 (Cok11) 0.85 / 0.8.4/0.8.8
0B48 v0.9.9_c1 CYTOLOGY 2006/07/07 Cyt3.3, Cyt3.4, (Cok12), (Cok13), (Cok14) 0.90 / 0.9.1
0B67 v0.9.13_k1 COOKIE 2006 - - COOKIE-13, COK-001(Proto), etc... with a CXR713F120A
0B74 v0.9.14_c1 CYTOLOGY 2006/08/03 - 0.91 / 0.9.2
0B8E v1.0.0_k1 COOKIE (201) 2006 - -
0B9D v1.0.1_c1 CYTOLOGY 2006/08/31 - 0.93 / 0.9.4
0C16 v1.1.3_k1 COOKIE (202) 2006 CokB10 -
0C23 v1.0.3_c1 CYTOLOGY 2006/12/04 - 1.50 / 1.1.1
0D52 v1.2.3_k1 COOKIE (203) 2007 CokC10, CokC11, CokC12, CokD10 -
0D79 v1.0.4_c1 CYTOLOGY 2007/06/21 - 1.90 / 1.2.0
0DBF v1.3.3_k1 COOKIE (301) 2007 - -
0E4E v1.0.4_c2 CYTOLOGY 2007/11/08 - 2.40 / 1.3.1
0E69 v1.4.4_k2 COOKIE (302) 2007 CokE10, Deb01 -
0F29 v1.5.0_k2 COOKIE (303) 2009 - - Removes hardcoding from previous firmware, adds support for 65nm RSX - not dumped yet
0F38 v1.5.1_k2 COOKIE (304) 2010 - - Adds support for 40nm RSX
0F3B v1.0.5_c1 CYTOLOGY 2010/05/12 - 3.60 / 1.3.3
Sherwood
SoftID Firmware version Build target Build date Adds support for Platform IDs Notes
0658 ?.??.? - 2008 CokF10 not dumped yet VERTIGO-02
065D 0.17.0 SW-301 2008 -
???? ?.??.? SW-302 2008 - not dumped yet VER-001
0832 1.11.0 SW2-301 2009 CokG10, CokG11
0898 1.15.0 - 2009 CokH10, CokH11, CokJ12
08A0 1.16.0 SW2-302 2009
08C2 1.21.0 SW2-303 2010 CokJ13, CokJ20
0918 2.3.0 SW3-301 2011 CokK10
098F 2.12.0 SW3-302 2012 CokM20, CokM40, CokN10, CokN30
???? ?.??.? SW3-303 2013 - not dumped yet (unknown PS3 model/motherboard)
09A4 2.21.0 SW3-304 2013 -

Syscon patches[edit | edit source]

CECHAxx Refurbished 40nm RSX / COK-001 / CXR714120-304GB
Syscon firmware v1.5.1_k2 patch 1

CECH-20xx / DYN-001 / SW2-301
Syscon firmware 1.11.0 patch 1.2.83E.832

These patches are in full Retail/CEX and Debug/DEX firmwares. Are intended to fix some problem in the syscon firmware

  • Fix 1) System firmware 1.30 (December 6, 2006). Disables UART access to the Syscon EEPROM patch region (not for 0832)
  • Fix 2) System firmware 1.81 (June 15, 2007). Patch for the HDMI display data channel read function (only for 0B8E and 0C16)
  • Fix 3) System firmware 3.00 (September 1, 2009). Unknown patch (only for 0832)
  • Fix 4) System firmware 3.40 (June 29, 2010) and 3.41 (July 26, 2010). Patch for the rtc read function (not for 0832)
SoftID sys_con_firmware package 1.00~1.11 1.30~1.80 1.81~2.80 3.00~3.30 3.40 3.41~4.88 Notes
0B8E SYS_CON_FIRMWARE_01000004.pkg No Yes (fix 1) No No No No Superseded by SYS_CON_FIRMWARE_01000005.pkg
SYS_CON_FIRMWARE_01000005.pkg No No Yes (fix 1+2) No No Superseded by SYS_CON_FIRMWARE_01000006.pkg
SYS_CON_FIRMWARE_01000006.pkg No No No No Yes (fix 1+2+4) CXR713120-201GB ...4706
0C16 SYS_CON_FIRMWARE_01010302.pkg No No Yes (fix 1+2) No No Superseded by SYS_CON_FIRMWARE_01010303.pkg
SYS_CON_FIRMWARE_01010303.pkg No No No No Yes (fix 1+2+4) CXR713120-202GB ...7214
0D52 SYS_CON_FIRMWARE_01020302.pkg No No No No Yes (fix 1+4) CXR713120-203GB ...F427
0DBF SYS_CON_FIRMWARE_01030302.pkg No No No No Yes (fix 1+4) CXR714120-301GB ...F321
0E69 SYS_CON_FIRMWARE_01040402.pkg No No No No Yes (fix 1+4) CXR714120-302GB ...5096
0F29 SYS_CON_FIRMWARE_01050002.pkg No No No No Yes (fix 1+4) CXR714120-303GB
0F38 SYS_CON_FIRMWARE_01050101.pkg No No No No No Yes (fix 1+4) CXR714120-304GB ...16FA
0832 SYS_CON_FIRMWARE_S1_00010002083E0832.pkg No No No Yes (fix 3) SW2-301

The screen More System Information allows to see some details related with syscon. The syscon firmware version can be derived from the SoftID, and additionally if there is a patch installed the PatchID displayed in the screen contains both, the syscon firmware version and the patch version. Note also that there is a direct relationship in between the PatchID displayed in the screen and the patch filename. The syscon UART commands also displays some info related with the base syscon firmware and the patch

Some examples from syscon UART:

CECHC, CECHE / COK-002 / CXR713120-202GB
>$ revision
0C16

>$ version
v1.1.3_k1

>$ patchvereep
major:0x0001
minor:0x0001
patch:0x0003
revision:0x0003

>$ patchcsum
r1 csum: [00030266] [018DB626] [90662679]
r2 csum: [000069C5] [0046B830] [5E535A06]
CECH-20xx / DYN-001 / SW2-301
>$ revision
# Revision = 2098(0832)

>$ version
# Sherwood Version = 1.11.0

>$ patchinfo
#
# MAJOR   :0000
# MINOR   :0000
# REV     :0000
# SYS_REV :0000
# TABLE   :00FFFFFF
# DATSIZ  :FFFF
# DATSUM  :FFFF
# SUM     :FFFF
# not applyed
CECH-20xx / DYN-001 / SW2-301
>$ revision
# Revision = 2098(0832)

>$ version
# Sherwood Version = 1.11.0

>$ patchinfo
#
# MAJOR   :0001
# MINOR   :0002
# REV     :083E
# SYS_REV :0832
# TABLE   :0000201A
# DATSIZ  :0FAA
# DATSUM  :02AB
# SUM     :035D
# applyed


  • Mullion PatchID names format (major, minor, patch, revision)
    • 0B8E.0000000000000000@SC = syscon firmware v1.0.0_k1, not patched
    • 0B8E.0001000000000005@SC = syscon firmware v1.0.0_k1, patch 5 (filename SYS_CON_FIRMWARE_01000005.pkg)
    • 0F38.0000000000000000@SC = syscon firmware v1.5.1_k2, not patched
    • 0F38.0001000500010001@SC = syscon firmware v1.5.1_k2, patch 1 (filename SYS_CON_FIRMWARE_01050101.pkg)
  • Sherwood PatchID names format (major, minor, rev, sys_rev)
    • 0832.0000000000000000@SC = syscon firmware 1.11.0, not patched
    • 0832.00010002083E0832@SC = syscon firmware 1.11.0, patch 1.2.83E.832 (filename SYS_CON_FIRMWARE_S1_00010002083E0832.pkg)


Package structure[edit | edit source]

Sys_con_firmware Packages can be unpacked with unpkg. See PKG files and Certified File

Header[edit | edit source]

Address Length Value Description
0x00 0x4 ASCI:"SCE" SCE magic header
0x04 0x4 0x2 Version
0x08 0x2 0x0 Attribute
0x0A 0x2 0x3 Category (0x3 = Update Package)
0x0C 0x4 0x0 Extended Header Size (no ext header)
0x10 0x8 0x280 File Offset (hdr_len)
0x18 0x8 0x1080 File Size (dec_size)
0x20 0x260 - Encrypted part of header
0x280 0x40 - update_package_header section (see below)
0x2C0 0x40 - update_package_contents_header section (see below)
0x300 0x1000 - content section

Update Package Header[edit | edit source]

Address Length Value Description
0x00 0x4 0x3 Header Version? 3 (fixed value for all PS3 update packages)
0x04 0x4 0x8 SoftType? 8 = SC firmware
0x08 0x8 - SC firmware revision (the high word of it is the SC type)
0x0C 0x4 0x0B8E(1.30-4.84)
0x0C16(1.81-4.84)
0x0D52(3.40-4.84)
0x0DBF(3.40-4.84)
0x0E69(3.40-4.84)
0x0F29(3.40-4.84)
0x0F38(3.41-4.84)
0x0832(3.00-4.84)
'SoftID'
0x10 0x8 0x0001000000000004
0x0001000000000005
0x0001000000000006
0x0001000100030002
0x0001000100030003
0x0001000200030002
0x0001000300030002
0x0001000400040002
0x0001000500000002
0x0001000500010001
0x00010002083E0832
'PatchID' (official name is "version")
0x18 0x8 0x1000 Content Data Size
0x20 0x8 0x1000 Content Compressed Data Size
0x28 0x4 0x0 Attribute
0x2C 0x4 0x0 Region
0x30 0x8 0x0 Image Offset
0x38 0x8 0x0 Reserved_0

Note: PS3 firmwares cannot deal with compressed syscon firmwares, so they will abort the update process in that case.

Note2: The PatchID is also present in the first 8 bytes of decrypted content but 16bit swapped for ARM BGAs

Update Package Contents Header[edit | edit source]

Address Length Value Description
0x00 0x8 0x3 Header Version?
0x08 0x8 0x40 Header Size?
0x10 0x8 0x0 Chunk Offset
0x18 0x8 0x1000 Chunk Size
0x20 0x8 0x1 Current Chunk
0x28 0x8 0x1 Chunks Total
0x30 0x8 0x0 Reserved_0?
0x38 0x8 0x0 Reserved_1?

Content[edit | edit source]

Address Length Value Description
0x0 0x1000 - Content Data

Content Data Header[edit | edit source]

The header format is partially unknown at this stage. All the Firmwares patches are written in little endian.

Offset Length Notes Related DECR Error Notes
0x0 0x4 Magic FFFFFED2 (Magic Error) 0x1B2D700F in mullions, sys1 in cytology ?
0x4 0x10 Header CMAC1 FFFFFED1 (Header Check Error) CMAC of Partial Header (0x10,0x30 size) with header first 4 bytes instead of random 4 bytes
and where Header CMAC2 is zeroed Concatenated with Encrypted Body
0x14 0x10 Header CMAC2 CMAC of Header (where this cmac has been zeroed)
0x24 0x4 Padding
0x28 0x4 Total size Always 0x1000 in mullions, 0x60040 in cytology ?
0x2C 0x4 Size of binary Always 0xFC0 in mullions, 0x60000 in cytology ?
0x30 0x10 IV for AES-128 CBC
0x40 0xFC0 Encrypted binary FFFFFED0 (Data Check Error)
FFFFFECF (Data Size Check Error)
  • Note: For the weird bogus update ONLY: FFFFFF37 (Alignment Error?) (Trying any data size between 0x41 and 0x4C bytes)
  • Note2: v0.6.14c4 is the bogus update (only update with a weird header)
  • Note3: setting data between 0x40 to 0x4C to zero in bogus update yields error FFFFFED0

Samples

00000000  1B 2D 70 0F AB 5E B3 99 68 20 FE 3D E1 80 6A 1D  .-p.«^³™h þ=á€j.
00000010  B8 FD 37 CF CD 45 85 AB 51 F7 05 E3 EA 32 A5 EA  ¸ý7ÏÍE…«Q÷.ãê2¥ê
00000020  67 45 F9 48 00 00 00 00 00 10 00 00 C0 0F 00 00  gEùH........À...
00000030  8B 04 07 F9 9B A2 90 3A 75 89 F1 42 12 59 DA 0D  ‹..ù›¢.:u‰ñB.YÚ.
00000040  21 7C A2 C3 5A E4 78 00 10 8D 4B F7 A2 73 9C 63  !|¢ÃZäx...K÷¢sœc
00000050  5D 8D 5D 49 16 C7 6F 2C AD 33 FE 1F D3 6C A1 CA  ].]I.Ço,.3þ.Ól¡Ê
00000060  BA AD 2B FE 8F 33 71 D7 C5 E6 5C FF BF 77 6C 80  º.+þ.3q×Åæ\ÿ¿wl€
00000070  F2 BE 11 BB 3C 52 52 DC A9 68 E5 24 AD 4F F3 48  ò¾.»<RRÜ©hå$.OóH

-From v1.0.4c2_TMU510_u-

00000000   73 79 73 31 73 47 59 5D  FB 85 3B 7B 4A 28 10 5D   sys1sGY]û…;{J( ]
00000010   46 EE 8C 01 3C B4 F1 82  1E 18 4F B7 4A 56 FC C7   FîŒ <´ñ‚  O·JVüÇ
00000020   FF 83 0B E0 00 00 00 00  40 00 06 00 00 00 06 00   ÿƒ à    @       
00000030   69 B6 02 69 3A 97 8B 1C  4E 18 D4 E0 63 7D CA 94   i¶ i:—‹ N Ôàc}Ê”
00000040   4B A0 79 34 79 41 BD 09  BB 68 D4 0A A0 B7 05 78   K y4yA½ »hÔ  · x
00000050   D9 8F 8F 28 6C 9A 1B 61  CF A1 E7 49 7D CA C4 A3   Ù  (lš aÏ¡çI}ÊÄ£
00000060   A4 4D 4B E0 AE 48 86 03  B1 43 F2 47 C0 C4 1D 4F   ¤MKà®H† ±CòGÀÄ O
00000070   FA E8 43 A7 1E 6E 79 8C  E5 FF 04 20 E9 44 09 B5   úèC§ nyŒåÿ  éD µ

Content Data Patch (encrypted)[edit | edit source]

Packages can be extracted with the unpkg tool. Extracted content of the updates appears to always be 0x1000 bytes (4KB).

The following is all theoretical and is intended to discard possibilities about modes of operation used by aes when decrypting body of firmware/patch
We know that:

  • Two key expansions are used before applying crypto on body (one probably for hashing. the other for decrypting with cbc)
  • Encrypt is used when applying crypto on body TopHalf (forward ttables) and Decrypt is used when applying on body Bottomhalf (inverse ttables)
  • Authenticated regions uses a form of what seems to be some ECB with tweak xoring (as graf once said about XTS)
  • XTS was introduced in 2007 and SysCon from ps3 exists for far more time than that (2003)
  • XEX is a close relative of XTS that was introduced in 1984
  • PS4 uses XTS for Authenticated Regions or SNVS (with sector size of 0x20 being used. is this even considered safe?)
  • 4 regions can be controlled for DPA and they are: 0x2790 (size 0x20) (FFs), patch header (most notably at offset 0x4 of header size 0x10 and 0x30 size 0x10), patch body tophalf(+0x40) and patch body bottomhalf(+0x50)
  • here are the DPA bytes for each of the controlable sections:
  • 21 06 23 DC A2 98 99 4D XX 87 F8 40 FC 48 1C BF (section 2/FF's from 0x2790 on DIA-001) -> 210623DCA298994DFE87F840FC481CBF
  • 21 06 23 DC A2 98 99 4D XX 87 F8 40 FC 48 1C BF (section 2/FF's from 0x2790 on DEB-001) -> 210623DCA298994DFE87F840FC481CBF
  • 16 32 47 79 C3 2C 47 D3 2B 39 CA B5 83 41 0E D5 (section 3/header from DIA-001 patch content)
  • XX XX XX XX 7B FC 27 CD D5 9A 05 09 3A DF E4 75 (section 3/header AA from DEB-001 patch content) -> 6E9CE7C57BFC27CDD59A05093ADFE475
  • 92 4A 87 88 20 59 6C 49 9F 0E 7D 77 2F 38 4C FC (section 3/header DD from DEB-001 patch content)
  • 7D C6 3B 3B 69 DF 67 4C 94 D7 D4 A8 E0 F8 5B B2 (section 4/body from DIA-001 patch content/tophalf/forward)
  • 73 XX F0 3D XX 9A F0 92 4D XX 62 DA XX 48 3C DB (section 4/body from DIA-001 patch content/bottomhalf/inverse)
  • 49 1F 7B 0A 48 BD 79 33 4E 16 89 F6 B0 25 86 48 (section 4/body from DEB-001 patch content/tophalf/forward)
  • 14 4D F1 D3 21 B6 17 46 60 81 42 E5 02 C9 07 66 (section 4/body from DEB-001 patch content/bottomhalf/inverse/PROPER) -> 6B3583DA1AA6B49106E1641178EE68C8 (inverse ttables)
  • some bytes are considered "weak" bytes and should be bruteforced in the eventuality these keys fail
  • another possibility is that both the header and the body are hashed and then decrypted, using for example, cmac and cbc
  • since key expansions take 10 "hills" in the analysis, it should be safe to assume that AES-128 is used(because it uses 10 rounds).
  • 6554cff202c3bfdd9740901070b705bf : correct md5 for patch content we are trying keys on (DIA-001)
  • 4875ad06a1499cc516a0d4d92e595794 : correct md5 for patch content we are trying keys on (DEB-001/DIA-002)
  • trying a different header/body patch content from another similar board will result into failure of decrypting body, which means that the header is checked for authenticity and that the header hash is NOT in the header
  • altering the patch header doesn't cause the patch header dpa bytes to change (a test was done with 4 bytes and the result was 16 32 47 79, which matches the other patch dpa recovered bytes)
  • there are in fact not 4 but 5 aes sections. the last one seems to be body related, as changing the body even one bit makes the last aes section disappear.
  • section 2 is divided into two sections, corresponding to TopHalf and BottomHalf of patch area.
  • TopHalf uses forward ttables/sbox. BottomHalf uses inverse ttables/sbox
  • TopHalf is ONLY the very first 0x10 bytes AFTER the header and into the body (corresponding to 0x40 in header size 0x10)
  • BottomHalf is the rest of the body itself.
  • DYN-001 processes one entire chunk of 0x1000 bytes, 0x40 for header and 0xFC0 for body, and not two of 0x400 and 0xC00 like the Sony models
  • 504 aes operations are done for the body (252/0xFC for cmac and 252/0xFC for cbc). it is unknown if cmac comes first or it is cbc.
  • All attacks show weak bytes in comparisson with CXR(F), likely due to CXR being optimized for the attack (removed resistors/capacitors, etc)

Patch structure (decrypted)[edit | edit source]

Mullion Patch structure[edit | edit source]

Offset Size Name Number Example Notes
0x00 0x2 Major Version 1
0x02 0x2 Minor Version 1
0x04 0x2 Major Revision 1
0x06 0x2 Minor Revision 1
0x08 0x10 Patch Addresses 4*4
0x18 0x10 Patch Instruction / Data 4*4
0x28 0x10 Patch Jump Instruction Addresses 4*4
0x38 0x388 Additional Patch Instructions 1
0x3C0 0xC00 HDMI Patch 1

Sherwood Patch structure[edit | edit source]

Offset Size Name Number Example Notes
0x00 0x4 Magic 1 0x5D4E246B
0x04 0x2 Major Version 1 0x0001 In the output of the UART command patchinfo is named MAJOR
0x06 0x2 Minor Version 1 0x0002 In the output of the UART command patchinfo is named MINOR
0x08 0x2 Major Revision 1 0x083E In the output of the UART command patchinfo is named REV (patch revision)
0x0A 0x2 Minor Revision 1 0x0832 In the output of the UART command patchinfo is named SYS_REV (syscon revision)
0x0C 0x4 Absolute Table Address 1 0x0000201A In the output of the UART command patchinfo is named TABLE
0x10 0x2 Data Size 1 0x0FAA In the output of the UART command patchinfo is named DATSIZE
0x12 0x2 Data Checksum 1 0x02AB In the output of the UART command patchinfo is named DATSUM
0x14 0x2 Patch Checksum 1 0x035D In the output of the UART command patchinfo is named SUM (patch checksum)
0x16 0x2 Relative Data Address 1 0x0000 Not parsed/ignored on SW (only used on SW2/SW3). Relative to the patch start address (0x2000)
0x18 0x2 Relative Table Address 1 0x0000 Not parsed/ignored on SW (only used on SW2/SW3). Relative to the patch start address (0x2000)
0x1A 0x80 Table 4*0x20
0x9A 0x6 Padding - Not parsed/ignored on SW (only used on SW2/SW3)

Command list[edit | edit source]

Mullion[edit | edit source]

External commands[edit | edit source]

Address Command Subcommand Permission
0x32959 BOOT MODE 0x000080D6
0x329D5 BOOT CONT 0x000080D5
0x342D7 SHUTDOWN - 0x0000C0D5
0x32A51 HALT - 0x0000C0D5
0x32A85 BOOTENABLE - 0x0000809A
0x33491 AUTH1 - 0x0000C0EF
0x33525 AUTH2 - 0x0000C0EF
0x33619 AUTHVER SET 0x0000C0DF
0x335BF AUTHVER GET 0x0000C0FF
0x32AC3 EEP INIT 0x000080DA
0x32C51 EEP SET 0x0000C0DF
0x32D3D EEP GET 0x0000C0DF
0x32EA7 PDAREA SET 0x0000C0DF
0x32E3B PDAREA GET 0x0000C0DF
0x330C5 CSAREA SET 0x0000C0DF
0x33057 CSAREA GET 0x0000C0DF
0x33169 VID GET 0x0000C0D5
0x331D7 CID GET 0x0000C0D5
0x3321D ECID GET 0x0000C0D5
0x3325D REV SB 0x0000C0D5
0x3328D SPU INFO 0x0000C0D5
0x332E1 KSV - 0x0000C0D5
0x33685 FAN SETPOLICY 0x0000C0D7
0x33717 FAN GETPOLICY 0x0000C0D7
0x33781 FAN START 0x0000C0D7
0x33781 FAN STOP 0x0000C0D7
0x33951 FAN SETDUTY 0x0000C0D7
0x339C3 FAN GETDUTY 0x0000C0D7
0x33A27 R8 - 0x0000C0DF
0x33AD1 W8 - 0x0000C0DF
0x33B71 R16 - 0x0000C0DF
0x33C19 W16 - 0x0000C0DF
0x33CBB R32 - 0x0000C0DF
0x33E49 W32 - 0x0000C0DF
0x33EE9 RBE - 0x0000C0D5
0x33F91 WBE - 0x0000C0D5
0x34049 PORTSTAT - 0x0000C0DF
0x332BF VER - 0x0000C0FF
0x341C5 BUZ - 0x00008096
0x342D7 SERVFAN - 0x0000C0D7
0x341F9 ERRLOG START 0x0000C0DF
0x34221 ERRLOG STOP 0x0000C0DF
0x34249 ERRLOG GET 0x0000C0FF
0x342B3 ERRLOG CLEAR 0x0000C0DF

Internal commands[edit | edit source]

Command Address Perms SubCommands Description
becount 0xCA7D 0xDD0C0000 - Display bringup/shutdown count + Power-on time
bepgoff 0xA4E7 0xD00C0000 - BE power grid off
bepkt 0x2435D 0xDC0C0000 show/set/unset/mode/debug/help Packet permissions
bestat 0xD413 0xFD0F0000 - Get status of BE
boardconfig 0x99C7 0xDC0C0000 - Displays board configuration (NOT WORKING?)
bootbeep 0x1EA67 0xF0000000 stat/on/off Boot beep
bringup 0xD597 0xFD0F0000 - Turn PS3 on
bsn 0xD805 0xF00F0000 - Get board serial number
bstatus 0x24269 0xDD0C0000 - HDMI related status
buzz 0xA4FF 0xDC0C0000 [freq] Activate buzzer
buzzpattern 0xA8B7 0xDC0C0000 [freq] [pattern] [count] Buzzer pattern
clear_err 0x2595B 0xDD0C0000 last/eeprom/all Clear errors
clearerrlog 0xB8CB 0xDD0C0000 - Clears error log
comm 0x9919 0xDC0C0000 - Communication mode
commt 0x24907 0xDC0C0000 help/start/stop/send Manual BE communication
cp 0x1E077 0xF0000000 ready/busy/reset/beepremote/beep2kn1n3/beep2kn2n3 CP control commands
csum 0xD687 0xFF0F0000 - Firmware checksum
devpm 0xD053 0xDD0C0000 ata/pci/pciex/rsx Device power management
diag 0x9AAD 0xD00C0000 ... Diag (execute without param to show help) (NOT WORKING?)
disp_err 0x25911 0xDD0C0000 - Displays errors
duty 0x9B23 0xDD0C0000 get/getmin/getmax/getinimin/getinimax
set/setmin/setmax/setinimin/setinimax
Fan speed
 Usage: duty get fanconNo
    ex. duty get 1
dve 0x2995D 0xDC0C0000 help/set/save/show DVE chip parameters
eepcsum 0xAA65 0xDD0C0000 - Displays checksums of some eeprom areas
eepromcheck 0x9A1D 0x000C0000 [id] Check eeprom
eeprominit 0x9A65 0x000C0000 [id] Init eeprom
ejectsw 0xD611 0xFD0F0000 - Eject switch
errlog 0xB7ED 0xFF0C0000 - Gets the error log
fancon 0xD26D 0x0D000000 - Does nothing
fanconautotype 0xC075 0xDD0C0000 - Does nothing
fanconmode 0xBF35 0xDD0C0000 get Fan control mode (0=Full, 1=VaryTable & VaryServo, 2=Manual, 3=Minimun)
 Usage: fanconmode get fanconNo
    ex. fanconmode get 1
fanconpolicy 0xBBC9 0xDD0C0000 get/set/getini/setini Fan control policy (0=Full, 1=Auto, 2=Manual)
 Usage: fanconpolicy get fanconNo
    ex. fanconpolicy get 1
fandiag 0x1E91B 0xF0000000 - Fan Diagnostic (test)
faninictrl 0xD3D9 0x0D000000 - Does nothing
fanpol 0xCA31 0xDD0C0000 - Does nothing
fanservo 0xBF29 0xDD0C0000 - Does nothing
fantbl 0xC087 0xDD0C0000 get/set/getini/setini/gettable/settable/getselect/setselect Fan table: get/set - currently in RAM/in use ; getini/setini - stored in EEPROM (!! in COK the chksum does not updated automatically !!)
 Usage: fantbl set fanconNo pNo tempD tempU duty
    ex. fantbl set 0 p1 0x1400 0x1E40 0xC0
    ex. fantbl set 0 p1 20.0 30.25 75
 Usage: fantbl get fanconNo
    ex. fantbl get 1
firmud 0xD61D 0xFDFF0000 - Firmware update
geterrlog 0xB84F 0xDD0C0000 [id] Gets error log
getrtc 0xA6F3 0xDD0C0000 - Gets rtc
halt 0x1E107 0xF0000000 - Halts syscon
hdmi 0x29F39 0xDD0C0000 ... HDMI (various commands, use help)
[HDMI Help] HDMI System Start         :$ hdmi setup ([ChannelNo])
[HDMI Help] Show IC Type              :$ hdmi ictype [ChannelNo]
[HDMI Help] Display EDID              :$ hdmi redid  [ChannelNo] (p)
[HDMI Help] Display KSV               :$ hdmi rksv   [ChannelNo]
[HDMI Help] SiI Register Read         :$ hdmi r  [ChannelNo] [TargetDevID(0/1)] [OffsetAddr(hex)] [ReadSize(hex)]
[HDMI Help] SiI Register Write        :$ hdmi w  [ChannelNo] [TargetDevID(0/1)] [OffsetAddr(hex)] [WriteData(hex)]
[HDMI Help] Set 12bit Param           :$ hdmi 12bit  [ChannelNo] (d1:0 - d5:4)
[HDMI Help] Set 10bit Param           :$ hdmi 10bit  [ChannelNo] (d1:0 - d5:4)
[HDMI Help] DDC Bus Read              :$ hdmi dr [ChannelNo] [TargetDevID(0/1)] [OffsetAddr(hex)] [ReadSize(hex)]
[HDMI Help] DDC Bus Write             :$ hdmi dw [OffsetAddr(hex)] [WriteData(hex)]
[HDMI Help] Show Channel Status       :$ hdmi chstat  [ChannelNo]
[HDMI Help] Debug Log Verbose         :$ hdmi vbs ([Verbose Setting(hex)])
[HDMI Help] HDMI System Shutdown      :$ hdmi letup ([ChannelNo])
[HDMI Help] HDMI Eleguler Test        :$ hdmi hwreset ([ChannelNo])
[HDMI Help] HDMI Eleguler Test KPL    :$ hdmi hwreset2 ([ChannelNo])
[HDMI Help] HDMI Manage Struct Dump   :$ hdmi dumpst ([ChannelNo])
[HDMI Help] Show HDMI and DVE Port Num:$ hdmi ports
[HDMI Help] Show Timer Value          :$ hdmi timer
[HDMI Help] Show I2C Resource         :$ hdmi i2c
[HDMI Help] Show Patch Information    :$ hdmi patch
[HDMI Help] Resolution Reset          :$ hdmi resrst [ChannelNo]
[HDMI Help] Show this Message         :$ hdmi help
hdmiid 0x29D1D 0xDC0F0000 - Get HDMI id's
hdmiid2 0x29D81 0xDC0F0000 - Get HDMI id's
hversion 0x2422F 0xDD0C0000 - Displays Platform ID
hyst 0xAEF5 0xDD0C0000 get/set/getini/setini This value is stored inside the Thermal Config area, every thermal sensor has their own. See: Hysteresis
 Usage: hyst set TZoneNo temp
    ex. hyst set 1 0x0200
    ex. hyst set 1 2.0
 Usage: hyst get TZoneNo
    ex. hyst get 14
lasterrlog 0xB7FF 0xDD0C0000 - Last error from log
ledmode 0xA80B 0xDC0C0000 [id] [id] Get led mode
LS 0x2421B 0xDD0C0000 - LabStation Mode
ltstest 0xCB97 0xDD0C0000 get/set be/rsx ?Temp related? values
osbo 0x1EA3F 0xF0000000 - Sets 0x2000F60
patchcsum 0xD9F7 0xDD0C0000 - Patch checksum
patchvereep 0xD9B1 0xDD0C0000 - Patch version eeprom
patchverram 0xD965 0xDD0C0000 - Patch version ram
poll 0x240E3 0xDD0C0000 - Poll log
portscan 0xDA0D 0xDD0C0000 [port] Scan port (NOT WORKING?)
powbtnmode 0xB911 0xDC0C0000 [mode (0/1)] Power button mode
powerstate 0xCE6F 0xDD0C0000 - Get power state
powersw 0xD5F9 0xFD0F0000 - Power switch
powupcause 0xB621 0xDD0C0000 - Power up cause
printmode 0x99D9 0xDC0C0000 [mode (0/1/2/3)] Set printmode
printpatch 0xD94F 0xDD0C0000 - Prints patch
r 0x8CA5 0xDD0C0000 [offset] [length] Read byte from SC
r16 0x8ED5 0xDD0C0000 [offset] [length] Read word from SC
r32 0x9191 0xDD0C0000 [offset] [length] Read dword from SC
r64 0x935D 0xDD0C0000 [offset] [length] Read qword from SC
r64d 0x948F 0xDD0C0000 [offset] [length] Read ?qword data? from SC
rbe 0x96F9 0xDD0C0000 [offset] Read from BE
recv 0x24135 0xDD0C0000 - Receive something
resetsw 0xD605 0xFC0F0000 - Reset switch
restartlogerrtoeep 0xB903 0xDD0C0000 - Reenable error logging to eeprom
revision 0xD7E1 0xFFFF0000 - Get SoftID
rrsxc 0xD313 0xDD0C0000 [offset] [length] Read from RSX
rtcreset 0xA7BB 0x000C0000 - Reset RTC
scagv2 0xE24F 0xFF000000 - Auth related?
scasv2 0xE207 0xDD000000 - Auth related?
scclose 0xE1EF 0xFF000000 - Auth related?
scopen 0xE121 0xFF000000 - Auth related?
send 0x2416F 0xDD0C0000 [variable] Send something
shutdown 0xD5C5 0xFD0F0000 - PS3 shutdown
startlogerrtsk 0xB8E7 0xDD0C0000 - Start error log task
stoplogerrtoeep 0xB8F5 0xDD0C0000 - Stop error logging to eeprom
stoplogerrtsk 0xB8D9 0xDD0C0000 - Stop error log task
syspowdown 0xB6E9 0xDD0C0000 3 params System power down
task 0x15005 0xDD0C0000 - Print tasks
thalttest 0xD813 0x000F0000 - Thermal Alert Test ? (boes nothing), maybe is needed to do it while GameOS is working to trigger the XMB overheat warning message and the power off sequence
thermfatalmode 0xCA3B 0xDD0C0000 canboot/cannotboot Set boot mode after a thermal alert ?
therrclr 0xD3E5 0xDD0C0000 - Clears the thermal alert register ?
thrm 0xBF1D 0xDD0C0000 - Does nothing
tmp 0xAA69 0xDD0C0000 [tzone] Get temperature
 Usage: tmp TZoneNo
    ex. tmp 1
trace 0xB951 0xDD0C0000 ... Trace tasks (use help)
Usage: trace command param
    command:
      [status/start/stop/dump/print/id]
    param (with `id' command):
      available characters: [0-9][,][-]
      ex. trace id 1-12,16
trp 0xAB2F 0xDD0C0000 get/set/getini/setini This value is stored inside the Thermal Config area, every thermal sensor has their own
 Usage: trp set TZoneNo temp
    ex. trp set 2 0x5980
    ex. trp set 2 89.5
 Usage: trp get TZoneNo
    ex. trp get 14
tsensor 0xA279 0xDD0C0000 [tzone] Get raw temperature
 Usage: tsensor TZoneNo
    ex. tsensor 2
tshutdown 0xB2A1 0xDD0C0000 get/set/getini/setini Thermal shutdown. This value is stored inside the Thermal Config area, every thermal sensor has their own
 Usage: tshutdown set TZoneNo temp
    ex. tshutdown set 2 0x5A80
    ex. tshutdown set 2 90.5
 Usage: tshutdown get TZoneNo
    ex. tshutdown get 14
tshutdowntime 0xC95D 0xDD0C0000 get Thermal shutdown time. This value is stored inside the Thermal Config area, is a single value shared by all thermal sensors
tzone 0xB5E1 0xDD0C0000 - Shows a list of the "TZone" identifyers associated with every thermal sensor, and a short text description of them
Example, on cytology PS3 models
> tzone
00: 1st BE Primary
01: RSX Primary
02: XDR Primary
0A: Air Intake
0F: GbE
14: SB

Example, on cookie old
> tzone
00: 1st BE Primary
01: RSX Primary
03: BE VR
14: SB
15: EE+GS

Example, on cookie new
> tzone
00: 1st BE Primary
01: RSX Primary
14: SB

Example, on sherwood
> tzone
# 00:1st BE Primary
# 01:RSX Primary

version 0xD65F 0xFFFF0000 - Syscon firmware version
w 0x8BF9 0xDD0C0000 [offset] [value] Write byte to SC
w16 0x8E2D 0xDD0C0000 [offset] [value] Write word to SC
w32 0x8FED 0xDD0C0000 [offset] [value] Write dword to SC
w64 0x92A9 0xDD0C0000 [offset] [value] Write qword to SC
wbe 0x9665 0xDD0C0000 [offset] [value] Write to BE
wmmto 0xCB3B 0xDC0C0000 get Get watch dog timeout
wrsxc 0xD279 0xDD0C0000 [offset] [value] Write to RSX
xdrdiag 0x1E711 0xF0000000 start/info/result XDR diagnostics
xiodiag 0x1E875 0xF0000000 - XIO diagnostic
xrcv 0x25313 0xDC0C0000 - Xmodem receive

Sherwood[edit | edit source]

  • Permission
    • 0x0700 = A_AUTH
    • 0x0B00 = B_AUTH
    • 0x0300 = INT (Command not available from UART interface. Can be unlocked by patching syscon firmware)
    • 0x0F00 = ANY
Sherwood Commands
Command
lowercase/UPPERCASE
Perms Address Notes
SW-301 SW2-301 SW3-304
hdmi A_AUTH 0x32030 0x3D989 0x3E21D
tsensor A_AUTH 0x2FB30 0x3B1CF 0x3B8F0
tmp A_AUTH 0x2FE7F 0x3B3D5 0x3BAF6
trp A_AUTH 0x2FFA6 0x3B627 0x3BD48
tshutdown A_AUTH 0x301D8 0x3B645 0x3BD66
tzone A_AUTH 0x3041B 0x3B663 0x3BD84
thrm A_AUTH 0x30482 0x3B6C9 0x3BDEA
duty A_AUTH 0x307EF 0x3B95D 0x3C07E
fanconpolicy A_AUTH 0x30C0D 0x3BBB9 0x3C2DA
fanconmode A_AUTH 0x30DF9 0x3BD48 0x3C469
fantbl A_AUTH 0x30F3B 0x3BE58 0x3C579
fanservo A_AUTH N/A ? 0x3C07D 0x3C79E
fanservostat A_AUTH N/A ? 0x3C2E2 0x3CA03
fanservosetval A_AUTH N/A ? N/A ? 0x3CB6B
hyst A_AUTH 0x305F2 0x3B7F0 0x3BF11
powupcause A_AUTH 0x313EB 0x3C695 0x3CE8E
syspowdown A_AUTH 0x31460 0x3C70A 0x3CF03
devpm A_AUTH 0x316C6 0x3C98A 0x3D183
powerstate A_AUTH 0x318CF 0x3CB93 0x3D38C
nonfatalerror A_AUTH 0x31AC2 0x3CDF0 0x3D5E9
getrtc INT 0x2F82A 0x3AD68 0x3B489
help A_AUTH 0x2ED2B 0x3A280 0x3A9A1
meminfo INT 0x2EED7 0x3A42C 0x3AB4D
rbe INT 0x2EF63 0x3A4B8 0x3ABD9
DISABLEALLERASE A_AUTH 0x2F1FC 0x3A751 0x3AE72
task INT 0x2F281 0x3A7D6 0x3AEF7
cleareep INT 0x2F460 0x3A99E 0x3B0BF
commt INT 0x2F499 0x3A9D7 0x3B0F8
bestat A_AUTH 0x2F79B 0x3ACD9 0x3B3FA
bringup / BOOT A_AUTH 0x2DAC3 0x39018 0x39739
shutdown / HALT A_AUTH 0x2DC1C 0x39171 0x39892
r / R8
r16 / R16
r32 / R32
A_AUTH 0x2DC9B 0x391F0 0x39911
r64
r64d
A_AUTH 0x2E7BC 0x39D11 0x3A432
w / W8
w16 / W16
w32 / W32
A_AUTH 0x2E03B 0x39590 0x39CB1
w64
wbe
A_AUTH 0x2E6C1 0x39C16 0x3A337
BOOTENABLE A_AUTH 0x2DC7B 0x391D0 0x398F1
EEP A_AUTH 0x2E8C2 0x39E17 0x3A538
PDAREA
CSAREA
A_AUTH 0x2E9B8 0x39F0D 0x3A62E
portset INT 0x2EC36 0x3A18B 0x3A8AC
extend A_AUTH 0x2ECF9 0x3A24E 0x3A96F
version ANY 0x080D0 0x0A0F1 0x0A0FF
revision ANY 0x0812B 0x0A14C 0x0A15A
setcmdlong / SETCMDLONG ANY 0x08251 0x0A272 0x0A280
VER ANY 0x081C3 0x0A1E4 0x0A1F2
csum A_AUTH 0x08356 0x0A37B 0x0A389
AUTH1
AUTH2
B_AUTH 0x08555 0x0A5AF 0x0A5BD
AUTHVER ANY 0x086FB 0x0A755 0x0A763
errlog / ERRLOG ANY 0x311DA 0x3C484 0x3CC7D
powersw A_AUTH 0x31C87 0x3D005 0x3D7FE
ejectsw A_AUTH 0x31CA5 0x3D023 0x3D81C
doorsw A_AUTH N/A ? N/A ? 0x3D83C
buzzduty INT 0x31CC5 0x3D043 0x3D8D7
buzz INT 0x31D24 0x3D0A2 0x3D936
VID A_AUTH 0x33F98 0x3FC43 0x404D8
CID
ECID
A_AUTH 0x340BF 0x3FD6A 0x405FF
SPU A_AUTH 0x34211 0x3FEBC 0x40751
REV A_AUTH 0x342BC 0x3FF67 0x407FC
KSV A_AUTH 0x34363 0x4000E 0x408A3
MOUNTINFO A_AUTH N/A ? N/A ? 0x4095B
portscan A_AUTH 0x3441B 0x400C6 0x40A2A
eepcsum A_AUTH 0x33F46 0x3FBF1 0x40486
patchinfo A_AUTH 0x346DD 0x40388 0x40CF2
poll INT 0x346F3 0x4039E 0x40D08
recv INT 0x3470F 0x403BA 0x40D24
send INT 0x3472B 0x403D6 0x40D40
LS INT 0x34747 0x403F2 0x40D5C
hversion INT 0x34763 0x4040E 0x40D78

Access to Syscon from Linux[edit | edit source]

Access SysCon ROM without needing ps3dm-utils: http://wiki.gitbrew.org/wikibrew/PS3:HvReverseEngineering#SYSCON

Placeholder for bga patch key generation[edit | edit source]

34 3A 00 00 00 00 5F 5F 53 43 45 49 53 59 53 31
4:....__SCEISYS1

OR (slim DYN-001)

00 00 00 00 5F 5F 5F 5F 53 43 45 49 53 59 53 31
....____SCEISYS1
  • replace 4 dots with soft id in decimal form, xor with 0x140 key and with cipher patcher key and encrypt with master patcher key to obtain cipher master key for that soft id
  • replace 4 dots with soft id in decimal form, xor with 0x140 key and with hasher patcher key and encrypt with master patcher key to obtain hasher master key for that soft id